Why Stegosploit Isn’t An Exploit

Edit: I screwed up. The “false claims” I’m attacking in this piece are about a new (unreleased) version of Stegosploit, which I wasn’t aware of. I’ll leave this article as it is and post a new one soon. Sorry for not researching this well enough, and thanks for understanding my mistake.

Security researcher Saumil Shah from Net Square recently announced a JavaScript obfuscation tool, Stegosploit, which he immediately tried to spin as an image-only arbitrary code execution exploit for the browser. While this isn’t actually possible, it would’ve meant that any website that hosted raw user-uploaded images would be vulnerable to a persistent XSS attack.

Regardless of the facts, Shah continues to ride the alarmist media hype train by endorsing scary articles full of blatantly false claims. Here are a few:

“I don’t need to host a blog, I don’t need to host a website at all. I don’t even need to register a domain, I can take an image, upload it somewhere and if I just point you toward that image, and you load this image in a browser, it will detonate.”
— Saumil Shah, Net Square
“All he needs to hack someone is an image file, nothing more.”
— Lorenzo Franceschi-Biccierai, Motherboard (VICE)
“… Virtually any picture you view on the web, even without clicking on it or downloading it, could potentially contain malware. Upon viewing the image, the hidden program would automatically load on your computer or mobile device without your consent.”
— Cammy Harbison, iDigitalTimes
“Internet users … could be infected by viewing a picture on any website, even without clicking on it or downloading it.”
— Pierluigi Paganini, Security Affairs

In reality, Stegosploit is a four-step process on the target browser:

  1. The browser downloads a harmless PNG image.
  2. The browser evaluates JavaScript hidden in a tEXt chunk.
  3. The evaluated JavaScript decodes JavaScript hidden in a tRNS chunk.
  4. The browser evaluates the previously decoded JavaScript. It’s important to know that the decoded JavaScript could be anything: the unrelated Windows vulnerability we saw in the in the demo has absolutely nothing to do with Stegosploit, Shah, or Net Square.

You have to use a <script> tag to evaluate JavaScript; how does Stegosploit trick the browser into treating the <img> tag as a <script> tag in step two?

It doesn’t. While the proof-of-concept code hasn’t been officially released, it was visible for a few seconds during the Stegosploit demo at SyScan 2015:

Take a close look at the <script> tag on line eight. Disregard everything else.

Stegosploit depends on directing the target browser to a malicious website so that JavaScript can be executed with a <script> tag. This isn’t an image-only exploit, it’s just obfuscation via steganography.

If you have a <script> tag you can already do arbitrary code execution; the only thing that Stegosploit provides is weak obfuscation. Every other claim has been sensationalism and stunt hacking — especially with articles like “How You Can Get Hacked Just by Looking at a Picture Online”.

It’s not a bad idea to obfuscate your code with steganography if you have something trivial to hide, but it’s intellectually dishonest to pretend that Stegosploit is anything more than a thin layer of security through obscurity.

The future of active attacks may combine steganography, obfuscation, and even cryptography, but there’s no reason to believe that Stegosploit is dangerous or that it has the capacity to do any real damage in the wild.

Follow me on Twitter if you didn’t hate reading this. ☺