Re: [tlug] Clamav reports a virus: Exploit.Gif.PHPembedded

["Edmund Edgar" <lists@example.com>]

What you've got there is a JPEG image with some PHP code in the
comment field. (In this case not very harmful in itself - I think this
is just intended as proof of concept or something:)
<?php system('ls -la'); ?>

Since it contains valid PHP code, and PHP just prints anything outside
the brackets, that PHP code will run on your system if you tell PHP to
execute the file.

One possible motivation behind making something like this is that you
may be able to upload images to a server where you wouldn't be able to
upload a regular PHP file. Having uploaded it, you can then use
another method to execute the code it contains.

For example, some insecurely written web applications will check if an
uploaded image file has the type it's supposed to have, by looking at
the contents of the file, then assume that if it's an image they don't
have to check anything else. But their web server decides how to
handle the file based on its extension, rather than its contents. So
someone could make a JPEG containing the commands they wanted to run
on your server, rename it "myexploit.php", upload it and hit its URL
with their browser, thus executing their code on the server.

On a related note, there was a really nasty exploit a while back with
IE where the browser would actually ignore the MIME type specified in
the headers the server sent for an image, and look at the contents of
the file itself to decide what to do with it. You could make a JPEG
file with Javascript in the comment field, post the image to a
bulletin board and get that Javascript run by the browser. This was
unpatched for quite a while IIRC - amazing it didn't do more damage
than it did.

Edmund Edgar
lists@example.com
http://www.socialminds.jp
http://www.edochan.com
http://www.linkedin.com/in/edmundedgar