Stop Saying Stegosploit Is An Exploit

Security researcher Saumil Shah recently presented “Stegosploit” (slides available here). His presentation received a lot of attention on several hacker news sites, including Security AffairsHacker News, and Motherboard, reporting that users could be exploited simply by viewing a malicious image file in their web browser. If that were true, this would be terrifying.

“Just look at the image and you are HACKED!” – thehackernews

Here’s the thing. That is not what is happening with Stegosploit. Saumil Shah has created a “polyglot”. A polyglot is defined as “a person who knows and is able to use several languages,” but in the security world, the term can refer to a file that is a valid representation of two different data types. For example, you can concatenate a RAR file to the end of a JPG file. If you double click the JPG image, a photo pops up. If you then rename that JPG file to a .rar file, the appended RAR file will open. This is due to how the JPG and RAR file formats specify where the file begins. Stegosploit is using this same premise to embed JavaScript code inside of an image file, and obscure the JavaScript payload within pixel data.

This is still an interesting vector due to the difficulty of detection. It adds a layer of obfuscation, which relies on security through obscurity to avoid detection.

Embedding your code inside images requires a defensive product to not only process every packet, but also to inspect the individual artifacts extracted from the connection. Security through obscurity is widely considered ineffective. However, it is important to note that in order to identify even the most rudimentary steganography, you have to analyze every image file, which is computationally expensive, and increases the cost to defenders.

What is really interesting here is that Saumil Shah was actually rather forthcoming about this during his talk, clearly announcing that he was using a loader to deliver the payload, although that may not have been obvious to some of the observers. The exploit was delivered because the attacker sent malicious, obfuscated JavaScript to the browser. Stegosploit simply obfuscates an attack that could have been executed anyway. Just looking at an image will not exploit your web browser.



In the screenshot above, taken from the recording of the actual conference talk, Saumil is showing the audience the exploit “loader”. This is where a traditional JavaScript payload would be injected. The operative text in that screenshot is<script src=”elephant3.jpg”></script>, which takes a valid image file and interprets it as JavaScript. It simply injects the malicious code into a carrier signal so it looks innocuous. While it may seem like it is splitting hairs, it’s an extremely important distinction between “looking at this photo will exploit your machine”, and “this photo is camouflage that hides an exploit that has already occurred.”

All that being said, legitimate image exploits have been discovered in the past. Most notably, MS04-028 actually exploited the JPG processing library. In this case, loading an image into your browser would quite literally exploit your machine. This was tagged as a critical vulnerability, and promptly patched.

Stegosploit is an obfuscation technique to hide an exploit within images. It creates a JavaScript/image polyglot. Don’t worry, you can keep looking at captioned cat photos without fear.