Hacker Read

djsumdog · 2020-11-27 18:18:15+00:00

That's just for images. There could still be exploits in the HTML itself executing locally.

lucb1e | karma 17323 | avg karma 2.26 · | 2023-09-22 17:26:15

Without knowing more, that's a bit of an assumption. The vulnerability could be in image decoding, in which case an <img> tag is enough and no scripting is needed, but it could also very well require doing something funky with JavaScript.

trashburger | karma 1069 | avg karma 4.86 · | 2024-02-07 11:57:48

Have you looked at how it's implemented? The image decoder is completely separate from the main browser and is in a sandboxed process (with restricted syscall and filesystem access). If the image decoder is exploited, there's nothing the attacker can do.

tptacek | karma 394296 | avg karma 6.04 · | 2012-04-12 10:48:04

Not if the HTML hosting any of the JS is under attacker control.

luchs | karma 187 | avg karma 2.37 · | 2012-07-06 20:35:58+00:00

>I think a similar exploit was used recently with .svg images - they can contain javascript (being XML) which will be executed by the browser. Not sure about the details however.

However, the JavaScript shouldn't execute if the image is embedded via <img>.

reply

meowface | karma 10977 | avg karma 2.45 · | 2014-03-16 22:05:55

It's extremely unlikely. The chances of finding a RCE exploit that can be triggered without any Javascript are much lower.

It's not unheard of, of course. A bug in the CSS, HTML, or image parsing/rendering libraries can be exploited in this way.

reply

chris_wot | karma 14762 | avg karma 1.71 · | 2019-05-01 20:50:05+00:00

As opposed to the denial of service style bugs like an empty src element in an img tag?

jbri | karma 1487 | avg karma 4.07 · | 2011-01-17 14:51:51

Yes, but the attacker can not get the browser to silently fetch the page (regardless of whether Javascript is disabled) just by sticking, say, an <img> tag somewhere.

Osiris | karma 10774 | avg karma 4.5 · | 2012-06-11 23:29:37+00:00

You may be minimizing the attack surface, but just because a web browser only supports HTML and CSS doesn't mean it couldn't contain exploits.

It's possible that the HTML parser or image rendering library has a bug and that malformed HTML could cause a vulnerability in the browser. Granted, I believe it would be significantly easier to harden parsers and graphic rendering, but it's already been shown that certain image rendering libraries have been exploited[1].

[1] Example: http://technet.microsoft.com/en-us/security/bulletin/ms08-02...

reply

thamer | karma 2808 | avg karma 5.42 · | 2009-08-26 18:43:20+00:00

No, the exploit is only for applications capable of interpreting JavaScript, such as web browsers.

diyseguy | karma 278 | avg karma 1.22 · | 2018-01-04 02:44:54+00:00

I thought it was supposed to be exploitable by javascript? If you can get to the machine and run c code, well, that doesn't seem like an exploit?

refrigerator | karma 2261 | avg karma 4.81 · | 2014-02-08 17:40:29

since it's client side, it's physically impossible to completely prevent cheating :( using images instead of text and changing element id's and things would certainly make it harder to hack though!

vvillena | karma 1362 | avg karma 2.74 · | 2018-11-18 11:52:22

There are exploits written in Javascript that run on a browser.

tibu | karma 155 | avg karma 1.08 · | 2018-01-10 19:58:31+00:00

As far I remember JS exploit is possible. That's why Mozilla patched Firefox already.

nodata | karma 6208 | avg karma 2.31 · | 2011-08-18 02:10:45

Also: clean HTML enables hackability.

marshray | karma 11502 | avg karma 2.51 · | 2011-08-28 21:19:02

The clients don't need to be hacked, they simply run code as instructed by the server using standard, documented interfaces. Once the server is compromised, or any other party that can serve non-image content into the page origin, it's game over.

userbinator | karma 78987 | avg karma 4.37 · | 2014-11-13 00:51:24+00:00

Indeed this is one of the most verbose and rambling exploit descriptions I've seen... apparently you can inject some script/HTML code into a field in your profile, but I don't see how that could lead to this:

but can also remotly execute arbitrary codes to access local web-server files or configs

reply

jnordwick | karma 2641 | avg karma 1.97 · | 2018-01-12 15:07:31+00:00

Where? We've been told it is possible, but I have yet to see a JavaScript exploit that wasn't basically a canned demo.

ecaradec | karma 1260 | avg karma 4.24 · | 2011-04-20 07:23:15+00:00

It's also vulnerable to html injection... by design

saagarjha | karma 56017 | avg karma 2.29 · | 2018-09-17 18:33:06

It was a proof of concept; something like a thousand divs overflowing a buffer or something like that. I haven't seen anyone write an exploit for it.