Top security researchers have recently disclosed a document that hosts a critical zero-day vulnerability within the JPEG2000 format and the OpenJPEG library. This type of vulnerability will allow the hacker to remotely execute a code into the weakened system.
This exploit was discovered by Cisco Talos Group researchers and was assigned the TALOS-2016-0193/CVE-2016-8332. This potentially allows an ‘out-of-bound’ heap-write, triggering the heap contribution, and can ultimately lead to remote code execution.
OpenJPEG is an open source JPEG2000 codec. This software is written using the C language and was originally intended for coding, as well as encoding JPEG2000 images. This is a type of format that is well known for tasks such as embedding image files with a PDF attachment. This can be accomplished by using software such as PdFium, Poppler, and the Linux favorite, MuPDF.
Hackers are able to take advantage of this vulnerability by tricking their victims into opening their specially crafted malicious JPEG2000 image(s) by having their victim open what contains the code; usually sent in the form of an email. With the hacker’s script on the back-end of the JPEG2000 images, they can execute their code on several thousand devices at once.
Another form of getting the malicious code to victims, is by uploading to popular hosting sites such as Dropbox or Google Drive and then sending that shared URL to their victim(s).
Once you download this code to your computer, the hacker(s) can then remotely execute the malicious code behind the picture.
As explained by Cisco, the flaw had been caused “due to an error while parsing mcc records in the jpeg2000 file,… resulting in an erroneous read and write of adjacent heap area memory.” They continue, saying “Careful manipulation of heap layout and can lead to further heap metadata process memory corruption ultimately leading to code execution under attacker control.”
The team also reported this 0-day exploit to OpenJPEG developers back in July. OpenJPEG created a patch for the flaw last week, and have released their updated version in their latest version 2.1.2.
This specific vulnerability has been assigned an extensive CVSS score of 7.5. Naturally, with that number, it is also categorized as a high-severity bug.