lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 14 Oct 2004 08:09:54 -0500
From: "Todd Towles" <toddtowles@...okshires.com>
To: "Andrey Bayora" <andrey@...denbit.org>, <full-disclosure@...ts.netsys.com>
Cc: <bugtraq@...urityfocus.com>
Subject: RE: Bypass of Antivirus software with GDI+ bug exploit Mutations


TrendMicro sees it as a MS04-028 exploit 

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Andrey Bayora
> Sent: Thursday, October 14, 2004 2:46 AM
> To: full-disclosure@...ts.netsys.com
> Cc: bugtraq@...urityfocus.com
> Subject: [Full-Disclosure] Bypass of Antivirus software with 
> GDI+ bug exploit Mutations
> 
> Bypass of Antivirus software with GDI+ bug exploit Mutations.
> 
> HiddenBit.org Security Advisory.
> 
> Date: October 14, 2004
> 
> Author: Andrey Bayora
> 
> 
> BACKGROUND
> 
> While performing research paper for SANS GCIH practice I have 
> found this issue and it seems to me enough critical to warn 
> readers about this.
> 
> DESCRIPTION
> 
> Most Antivirus software can't detect Mutations of GDI+ exploit.
> 
> ANALYSIS
> 
> 1) Most Antivirus vendors issues virus definitions for known 
> exploit code [1] witch uses \xFF\xFE\x00\x01 string for 
> buffer overflow.
> >From the Snort rule [2] you can learn that there are 7 more variants
> to produce this buffer overflow in GDI+.
> 
> So, by changing \xFE to one of this - \xE1, \xE2, \xED  
> and\or by changing \x01 to \x00 this exploit will be 
> UNDETECTED by many antiviruses (list attached).
> 
> 2) While original exploit code use buffer overflow string 
> near the BEGINNING of the image file (after \xFF\xE0 , 
> \xFF\xEC and \xFF\xEE markers), I was able to create image 
> with buffer overflow string at the MIDDLE of the file.
> 
> 3) By combining various strings from methods described under 
> 1) and 2) and by placing them in different locations in the 
> image file I was able to bypass various antivirus products.
> 
> 
> FIX
> 
> 1) Patch vulnerable systems.
> 2) If your antivirus didn't detect these variants - block 
> JPEG (xFFD8).
> 
> 
> DEMO
> 
> http://www.hiddenbit.org/demo_files/jpeg.zip
> 
> 1) In the 1.jpg file the \xFE string was substituted to \xE1.
>                   WARNING ! THIS IS COMPILED PROOF OF CONCEPT
>                            FROM [1] THAT WILL CONNECT BACK TO
>                            VULNERABLE MACHINE TO 127.0.0.1 AT
>                            PORT 777 ( run: nc -l -p 777 ).
> 2) In the 2.jpg the buffer overflow string at offset x22F0 
> (string that begins with \xFF\xED).
>                   THIS IS JUST AN IMAGE WITH BUFFER OVERFLOW.
> 3) This is results from [3] :
> For 1.jpg
> 
> Results of a file scan
> This is the report of the scanning done over "1.jpg" (see 
> Demo section) file that VirusTotal processed on 10/13/2004 at 
> 18:54:56.
> Antivirus Version Update Result
> BitDefender 7.0                10.12.2004 -
> ClamWin devel-20040922         10.12.2004 -
> eTrust-Iris 7.1.194.0          10.13.2004 -
> F-Prot 3.15b                   10.13.2004 -
> Kaspersky 4.0.2.24             10.13.2004 -
> McAfee 4398                    10.13.2004 Exploit-MS04-028
> NOD32v2 1.893                  10.13.2004 -
> Norman 5.70.10                 10.12.2004 -
> Panda 7.02.00                  10.13.2004 -
> Sybari 7.5.1314                10.13.2004 -
> Symantec 8.0                   10.12.2004 Backdoor.Roxe
> TrendMicro 7.000               10.12.2004 Exploit-MS04-028
> 
> For 2.jpg
> 
> Results of a file scan
> This is the report of the scanning done over "2.jpg" file 
> that VirusTotal processed on 10/13/2004 at 18:56:32.
> Antivirus Version Update Result
> BitDefender 7.0            10.12.2004 -
> ClamWin devel-20040922     10.12.2004 -
> eTrust-Iris 7.1.194.0      10.13.2004 -
> F-Prot 3.15b               10.13.2004 -
> Kaspersky 4.0.2.24         10.13.2004 -
> McAfee 4398                10.13.2004 Exploit-MS04-028
> NOD32v2 1.893              10.13.2004 -
> Norman 5.70.10             10.12.2004 -
> Panda 7.02.00              10.13.2004 -
> Sybari 7.5.1314            10.13.2004 -
> Symantec 8.0               10.12.2004 Bloodhound.Exploit.13
> TrendMicro 7.000           10.12.2004 Exploit-MS04-028
> 
> 
> Only "The BIG 3" was able to detect those variants.
> 
> More complete research will be published in my SANS GCIH paper.
> 
> 
> Reference :
> 
> [1] www.k-otik.com
> [2] http://www.snort.org/snort-db/sid.html?sid=2705
> [3] www.virustotal.com
> 
> 
> 
> **********************************************************
> HiddenBit.org is non-profit Israel security research team.
> 
> 
> 
> --------------------------------------------------------------
> Disclaimer
> 
> The information within this advisory may change without 
> notice. There are no warranties, implied or express, with 
> regard to this information.
> In no event shall the author be liable for any direct or 
> indirect damages whatever arising out or in connection with 
> the use or spread of this information. Any use of this 
> information is at the user's own risk.
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ