The Google CVR command has uncovered a vulnerability in the Kakadu image library used for processing JPEG 2000 files. This vulnerability enables remote access to the system and allows attackers to execute arbitrary code on the server without needing access to the source code or environment.
JPEG 2000 is a widely used image compression standard, with Kakadu being a prominent library for its functionality. The CVR team identified multiple vulnerabilities in the image processing mechanisms of the library. Exploiting these vulnerabilities is challenging due to the unknown execution environment, rendering traditional attack preparation methods ineffective. However, researchers developed the “Conditional Corruption” technique to manipulate images and create conditions for successful attacks.
One of the vulnerabilities of the Kakadu library allows for reading arbitrary files on the server. Attackers can exploit the data fragmentation in JPEG 2000 to replace fragments with content from local files, potentially accessing sensitive information such as memory card files and process environment. Another vulnerability involves data being written outside the designated memory area (Heap Overflow) due to errors in number multiplication within the library’s code.
The complexities of these vulnerabilities are exacerbated in distributed environments where repeated requests may not be processed by the same server. To address this challenge, the CVR team leveraged unique characteristics of the Kakadu library to identify servers utilizing it and execute more precise attacks.
Furthermore, CVR developed a method to bypass standard protection techniques like Address Space Layout Randomization (ASLR), which obfuscates memory addresses used during code execution. By dynamically reading memory content and adjusting subsequent attack actions accordingly, CVR could overcome ASLR protections.
This research underscores the significant threat posed by seemingly minor vulnerabilities in widely used libraries. Users of the Kakadu library are strongly advised to update to the latest version to mitigate potential attacks leveraging these identified vulnerabilities.