| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040929074524.48EC734088@smtpb.itss.auckland.ac.nz> From: Bojan.Zdrnja at LSS.hr (Bojan Zdrnja) Subject: JPEG AV Detection > -----Original Message----- > From: full-disclosure-admin@...ts.netsys.com > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of > Todd Towles > Sent: Wednesday, 29 September 2004 7:26 a.m. > To: Mailing List - Full-Disclosure > Subject: FW: [Full-Disclosure] JPEG AV Detection > > What exactly are the AV products detecting in the JPEG exploits? Barry > and I was talking about how impressed we were that the AV companies > jumped on this one and detection was pretty fast. But is the detection > so generic that a variant will bypass? Is the detection based on a > original exploit that could be modified in a way that makes it > "undetectable" right now? If they are any decent then they'll check for incorrect values in comment size fields. It's very easy to detect it since value has to be 0 or 1 in order to exploit the vulnerability. A little problem is that comment size field can be in any section of the JPEG, not just at the beginning (as in the original exploit), but I supposed that AV vendors caught this. Cheers, Bojan
Powered by blists - more mailing lists