Security experts at Trustwave observed threat actors using a rare
The Exchangeable image file format is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras (including smartphones), scanners and other systems handling image and sound files recorded by digital cameras.
According to ThreatPost that first reported the news, attackers could exploit the
Karl Sigler, a security research manager at Trustwave SpiderLabs, confirmed that the attack works also works on fully patched websites. He explained that attackers leverage PHP function to parse EXIF data of images. The good news for attackers is that the function that allows parsing the EXIF- headers is usually pre-installed in several website tools and plugins.
The attacker only needs to upload a specially crafted image on the target site and trigger the hidden code in the EXIF headers.
“It’s likely that a website offers the ability to upload images and also has an existing PHP file that allows the site to parse out the EXIF data,” Sigler explained. “In that situation, it would be a matter of uploading the malicious image and triggering the hidden PHP code in the EXIF by using the existing PHP file that the website uses to read that EXIF data. It’s simply a matter of finding a website with one that allows the attacker to point it at their malicious uploaded data.”
“However, if you do have everything patched and there’s no low-hanging fruit for the attacker in terms of compromising a site, this is a little more advanced of a technique that can get you in.”
Experts suggest to scan for PHP tags in image files and disabling image uploads if they are not necessary.
(SecurityAffairs – steganography technique, GDPR)