A zero day flaw in OpenJPEG JPEG 2000 could lead arbitrary code execution

Cisco Talos Team disclosed a zero-day flaw affecting the JPEG 2000 image file format parser implemented in the OpenJPEG library.

Security experts at Cisco Talos group have discovered a serious vulnerability (TALOS-2016-0193/CVE-2016-8332) affecting the JPEG 2000 image file format parser implemented in OpenJPEG library. An attacker could exploit the flaw to trigger the heap corruption and execute arbitrary code on the target system.

“This particular vulnerability could allow an out-of-bound heap write to occur, resulting in heap corruption and lead to arbitrary code execution. Talos has disclosed this vulnerability responsibility to the library maintainers to ensure a patch is available.” states the security advisory published by Talos.

The experts successfully tested the JPEG 2000 image exploit on the OpenJpeg openjp2 2.1.1.

The security experts have has ethically reported the security flaw to the library maintainers to ensure a patch is available.

The flaw has a serious impact because the JPEG 2000 file format is commonly used for embedding images inside PDF documents.

In order to exploit the vulnerability, an attacker has to trick victims into opening a file containing a specifically crafted JPEG 2000 image that triggers the flaw.

A first attack scenario sees attackers sending an email to the targets, the malicious message will include a PDF document including a specifically crafted JPEG 2000 image, or in a hosted content scenario where a user downloads a file from Google Drive or Dropbox.

Attackers could also leverage on cloud storage like Google Drive or Dropbox where he hosts a specifically crafted JPEG 2000 image, then he will share the link to the picture.

Experts from Talos have also released Snort Rules (40314-40315) that could help experts in detecting attempts to exploit the flaw.

Cisco Talos group also announced that additional rules may be released at a future date informing users that current rules are subject to change pending additional vulnerability information.

Below the Timeline of the Vulnerability

• 2016-07-26 – Vendor Disclosure
• 2016-09-29 – Public Release

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – JPEG 2000, Zero-day)