Wednesday, August 11, 2010

Embedded Script on Images file allowed Arbitrary Code Execution

Just made testing today that most of image file could cause arbitrary code execution when some simple script embedded into it. As shown below there is a normal PNG image file (adiksinchan.png) that will append with ujian.vbs which is a Visual Basic Scripting file. Once the ujian.vbs file has been appended at the end of image file then rename it into .HTA file extension. After that, just simply run the .HTA file and as you can see (for the demo) the calculator is running without any problem.

The interesting part, the PNG image file (or what ever image format) is still valid and can be viewed as normal if user did not rename it into .HTA extension. In worst cases, all the script can be obfuscate  to make it more undetectable from antivirus software or at least user can't see there is a script in it.

Most antivirus company should update their heuristic detection to detect this from future threat but I guess this issue is not new to the user for years and its not only image file format can do that. It could be all type of file format by just rename it to .HTA extension to execute the embedded script.

It seem none of antivirus detecting it as I got report from VirusTotal >>