lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: Bojan.Zdrnja at LSS.hr (Bojan Zdrnja)
Subject: JPEG AV Detection

 

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Todd Towles
> Sent: Wednesday, 29 September 2004 7:26 a.m.
> To: Mailing List - Full-Disclosure
> Subject: FW: [Full-Disclosure] JPEG AV Detection
> 
>  What exactly are the AV products detecting in the JPEG exploits? Barry
> and I was talking about how impressed we were that the AV companies
> jumped on this one and detection was pretty fast. But is the detection
> so generic that a variant will bypass? Is the detection based on a
> original exploit that could be modified in a way that makes it
> "undetectable" right now?

If they are any decent then they'll check for incorrect values in comment
size fields. It's very easy to detect it since value has to be 0 or 1 in
order to exploit the vulnerability.
A little problem is that comment size field can be in any section of the
JPEG, not just at the beginning (as in the original exploit), but I supposed
that AV vendors caught this.

Cheers,

Bojan


Powered by blists - more mailing lists