--Apple-Mail-17--893966045
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed

Advisory: JPEG EXIF information disclosure

The Laboratory for dependable Distributed Systems at RWTH Aachen  
University
likes to raise awareness of common Information Disclosure via
JPEG EXIF thumbnail images in common image processing software.

Details
=======

Product: Image processing software
Affected Version: various
Immune Version: unknown
OS affected: any
Security-Risk: Medium
Remote-Exploit: No
Advisory-URL:
http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005 
-008
Advisory-Status: public
CVE: CAN-2005-0406

Introduction
============

Images created by digital cameras and later cropped or otherwise
modified by applications like Adobe Photoshop often contain an
unmodified Version of the Image in the embedded thumbnail image. This
can result in information disclosure.

More Details
============

Digital cameras but also other device embed mini versions
("thumbnails") of the original image in a JPEG image file. Among others
one reason is that while flipping through images on the cameras small
display the camera does not need to decode and scale the full megapixel
picture. The standard to save this thumbnail and other information
within a  JPEG file is called EXIF. The EXIF standard states that image
processing software should leave EXIF headers it doesn't understand
alone.

This means that if an image from a digital camera is edited, e.g. by
making a face unrecognizable, and than the modified version is
published, chances are that the thumbnail still contains the unmodified
version with the unobstructed face. There might be situations where
also disclosure of other information in the EXIF header, like the date
and time the picture was taken or the model of the camera used, is
problematic.

We found that of the JPEG images on the Internet 20 % have a embedded
EXIF Thumbnail and about 2% have a thumbnail which our screening
software considered significantly different from the original image.
After human screening 0.1% can be considered to have thumbnails which
are more than just boring cropping differences.

If you have more Information on this issue we are eager to hear from  
you -
contact dornseif@informatik.rwth-aachen.de.


Proof of Concept
================

See http://blogs.23.nu/disLEXia/stories/5751/ for some example images.
See http://md.hudora.de/presentations/#hiddendata-21c3 for code to find
"interesting" images automatically.


Workaround
==========

There is specialized software available for removing EXIF information.
Use it.


Fix
===

Image processing software should either update or remove the EXIF
thumbnail.


Security Risk
=============

Our research indicates that around 0.001% of all images contain
seriously harmful information in the EXIF thumbnail.


History
=======

2003-07-xx tech.tv moderator incident - private parts in the thumbnail
2004-07-xx Maximillian Dornseif gets aware of this incident, discuss it
at Defcon 12
2004-10-xx Steven J. Murdoch creates exif_thumb to automatically screen
image. We learn that the problem is quite widespread and not an random
software glitch.
2004-12-28 Dornseif & Murdoch present the results form a large scale
survey of images on the internet at the 21. Chaos Communication
Congress
2004-02-12 CVE number requested
2004-02-14 posted to the public as CAN-2005-0406


RedTeam
=======

RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find
more Information on the RedTeam Project at
http://tsyklon.informatik.rwth-aachen.de/redteam/



-- 
Laboratory for Dependable Distributed Systems, RWTH Aachen University
Get news of the lab at   
http://mail-i4.informatik.rwth-aachen.de/mailman/listinfo/lufgtalk
--Apple-Mail-17--893966045
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Disposition: attachment;
	filename=smime.p7s

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGWzCCAxQw
ggJ9oAMCAQICAwzibTANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh
d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt
YWlsIElzc3VpbmcgQ0EwHhcNMDQwODE4MTI1MTUxWhcNMDUwODE4MTI1MTUxWjBUMR8wHQYDVQQD
ExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMTEwLwYJKoZIhvcNAQkBFiJkb3Juc2VpZkBpbmZvcm1h
dGlrLnJ3dGgtYWFjaGVuLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxAwMVffI
m78UUzzFpUTBaD3jzSOQABB4r+iznf6HnZ8oJUYvwbjZ8Na/S8Ie4o7VXAA2Dp2ipgAtvypY3VPI
d7LVdcQVJQNOLYQnICMJf7xTtXIoC7gDlOZFRfIl0zdrvNIOx+nhXgIgoQ7/IUcGQXF5Xgjg4sp1
YH4BFNOGNwl5VqwmazxtIGz5Bxzp3MJMV21T4MDBqX9DJcT9Oq+73fCCHzJh4tyNRrBI2ty9lvUB
n4dMv86jYDPK1BJmI9dy0/NM0ryA2ShHPmnxxNPd5i0s6g41L5M72garF5/RYEViEmTryAaI2yre
0Ps4EVmGH03FLEzTFvLDJL3FeL5gGQIDAQABo2IwYDAOBgNVHQ8BAf8EBAMCA/gwEQYJYIZIAYb4
QgEBBAQDAgWgMC0GA1UdEQQmMCSBImRvcm5zZWlmQGluZm9ybWF0aWsucnd0aC1hYWNoZW4uZGUw
DAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQCJCkQHOMXRjNdwnsWFWz8553dpExvcZ6Ff
tPAoXMkArHRvenUCNY+1e9hAed7mcHs4EP9Y04V52b9tJ/NaTR6tQUS8PzO2P/Aw3hjKwh/3CdKO
FwG15KEcZW3KG0jy4Tlp8re0wcxXBxKygq0k7TRqx338MwEVPCisWB+NHumcUDCCAz8wggKooAMC
AQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh
cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNV
BAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJz
b25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3Rl
LmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYD
VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29u
YWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV
+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqq
P3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEE
QB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSG
Mmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1Ud
DwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZI
hvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNw
PP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTl
EBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggLnMIIC4wIBATBpMGIxCzAJBgNVBAYTAlpBMSUw
IwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy
c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDOJtMAkGBSsOAwIaBQCgggFTMBgGCSqGSIb3DQEJ
AzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA1MDIxNDE5MzUzNlowIwYJKoZIhvcNAQkE
MRYEFFUkgSiEJ26XjC7tcHxsrIPp55A+MHgGCSsGAQQBgjcQBDFrMGkwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMM4m0wegYLKoZIhvcNAQkQAgsxa6BpMGIxCzAJ
BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQD
EyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDOJtMA0GCSqGSIb3DQEBAQUA
BIIBABJzJN2MvI6hBfDR/tbZx8lzr6XR3x/VXmtlnd2H33PIuFUcyP7F/QsUVq7GnFsQ6DRVBj07
UVqGoDIa2mADqp395GVeV3NcZXnuB7aGaUEDZAEnzIuIjdUxxItXBXxljmEoNEKGk2aY0AEs6tfw
uiDIrSyJOshYLqo9ESyIUmulTRyhlnzMILaPWuO5wIiCgXmiQ0bsFwPepthSOstI7tLwisv4g6lt
pmnoHTsfGQlaz2/y1ce/K0EfKPujPsGh1UZfWMcBPaLfC3LQ0TKGl1OgSim+wajzW1HO31iHPIHS
d9Zw0oetGS09aKnEh7FOxa5IimlnJ1OVW5w/5yTCmSkAAAAAAAA=

--Apple-Mail-17--893966045--