lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: GEisenhaur at Cisco.com (Gerry Eisenhaur)
Subject: FW: JPEG AV Detection

After looking in to what the AV companies base their signature on, it 
appears that they use the \xff\xfe\x00\x00 or \xff\xfe\x00\x01 string in 
the vulnerable JPEG. If you change the size to a valid size, the AV is 
not triggered.

I know there is some talk about other sections being vulnerable to 
overflow as well, I have not look into this yet so I can not be sure. If 
it is true, I wonder if the AV companies are aware/detect the possible 
new exploits.

Anyone else have any input?

/gerry

Todd Towles wrote:
>  What exactly are the AV products detecting in the JPEG exploits? Barry
> and I was talking about how impressed we were that the AV companies
> jumped on this one and detection was pretty fast. But is the detection
> so generic that a variant will bypass? Is the detection based on a
> original exploit that could be modified in a way that makes it
> "undetectable" right now?
> 
> -Todd
> 
> -----Original Message-----
> From: Barry Fitzgerald [mailto:bkfsec@....lonestar.org] 
> Sent: Tuesday, September 28, 2004 1:55 PM
> To: Todd Towles
> Subject: Re: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1933 -
> 20 msgs
> 
> Todd Towles wrote:
> 
> 
>>Yep, really surprised. Just hopefully the invalid data that is being 
>>detected can't be changed or worked in a work that would bypass normal 
>>detection. Once the file is renamed to a BMP or a GIF, you confuse the 
>>whole thing even more.
>>
>>Are the AV products hitting on a part of the original exploit? Can this
> 
> 
>>part be changed in a future version to make it "undetectable". I am 
>>very impressed at the work of the AV companines on this one, but I also
> 
> 
>>know that is this detection is too simple, that it will be bypassed.
>>
>> 
>>
> 
> I'm not sure what they're specifically detecting.  This may be a good
> question for the list.
> 
>              -Barry
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

-- 
Gerald Eisenhaur
Cisco Systems, Inc.
1414 Massachusetts Ave.
Boxborough, Massachusetts 01719
voice:	978.936.0465
geisenhaur@...co.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ