Contact

Contact us

+49 241 510081-0
kontakt@redteam-pentesting.de
Contact form
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

JPEG EXIF information disclosure

RedTeam likes to raise awareness of common Information Disclosure via JPEG EXIF thumbnail images in common image processing software.

Details

  • Product: Image processing software
  • Affected Version: various
  • Immune Version: unknown
  • OS affected: any
  • Security-Risk: Medium
  • Remote-Exploit: No
  • Advisory-URL: https://www.redteam-pentesting.de/advisories/rt-sa-2005-008
  • Advisory-Status: public
  • CVE: CAN-2005-0406 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0406)

Introduction

Images created by digital cameras and later cropped or otherwise modified by applications like Adobe Photoshop often contain an unmodified Version of the Image in the embedded thumbnail image. This can result in information disclosure.

More Details

Digital cameras but also other device embed mini versions (“thumbnails”) of the original image in a JPEG image file. Among others one reason is that while flipping through images on the cameras small display the camera does not need to decode and scale the full megapixel picture. The standard to save this thumbnail and other information within a JPEG file is called EXIF. The EXIF standard states that image processing software should leave EXIF headers it doesn’t understand alone.

This means that if an image from a digital camera is edited, e.g. by making a face unrecognizable, and than the modified version is published, chances are that the thumbnail still contains the unmodified version with the unobstructed face. There might be situations where also disclosure of other information in the EXIF header, like the date and time the picture was taken or the model of the camera used, is problematic.

We found that of the JPEG images on the Internet 20 % have a embedded EXIF Thumbnail and about 2% have a thumbnail which our screening software considered significantly different from the original image. After human screening 0.1% can be considered to have thumbnails which are more than just boring cropping differences.

Proof of Concept

See http://blogs.23.nu/disLEXia/stories/5751/ for some example images. See http://md.hudora.de/presentations/#hiddendata-21c3 for code to find “interesting” images automatically.

Workaround

There is specialized software available for removing EXIF information. Use it.

Fix

Image processing software should either update or remove the EXIF thumbnail.

Security Risk

Our research indicates that around 0.001% of all images contain seriously harmful information in the EXIF thumbnail.

History

  • 2003-07-xx tech.tv moderator incident - private parts in the thumbnail
  • 2004-07-xx Maximillian Dornseif gets aware of this incident, discuss it at Defcon 12
  • 2004-10-xx Steven J. Murdoch (The University of Cambridge, Security Group) creates exif_thumb to automatically screen image. We learn that the problem is quite widespread and not a random software glitch.
  • 2004-12-28 Dornseif & Murdoch present the results form a large scale survey of images on the internet at the 21. Chaos Communication Congress
  • 2005-02-12 CVE number requested
  • 2005-02-14 posted to the public as CAN-2005-0406
  • 2009-05-08 Updated Advisory URL

RedTeam

RedTeam is a penetration testing group working at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University. You can find more information on the RedTeam Project at https://www.redteam-pentesting.de