lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <9E97F0997FB84D42B221B9FB203EFA27171D76@dc1ms2.msad.brookshires.net>
From: toddtowles at brookshires.com (Todd Towles)
Subject: Bypass of Antivirus software with GDI+ bug exploit Mutations

Yep, sorry about that. Sophos isn't on VirusTotals list...anyone running
it? 

> -----Original Message-----
> From: Cassidy Macfarlane [mailto:cmacfarlane@...mmond-Miller.co.uk] 
> Sent: Thursday, October 14, 2004 10:42 AM
> To: Todd Towles; Andrey Bayora; full-disclosure@...ts.netsys.com
> Cc: bugtraq@...urityfocus.com
> Subject: RE: [Full-Disclosure] Bypass of Antivirus software 
> with GDI+ bug exploit Mutations
> 
> Symantec Enterprise 8.1:
> 
> Your attachment "JPEG.zip" contained viruses:
>          "Backdoor.Roxe" at location "1.jpg", 
>          and "Bloodhound.Exploit.13" at location "2.jpg".
> 
> -----Original Message-----
> From: Todd Towles [mailto:toddtowles@...okshires.com]
> Sent: 14 October 2004 14:10
> To: Andrey Bayora; full-disclosure@...ts.netsys.com
> Cc: bugtraq@...urityfocus.com
> Subject: RE: [Full-Disclosure] Bypass of Antivirus software 
> with GDI+ bug exploit Mutations
> 
> 
> TrendMicro sees it as a MS04-028 exploit 
> 
> > -----Original Message-----
> > From: full-disclosure-admin@...ts.netsys.com 
> > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> > Andrey Bayora
> > Sent: Thursday, October 14, 2004 2:46 AM
> > To: full-disclosure@...ts.netsys.com
> > Cc: bugtraq@...urityfocus.com
> > Subject: [Full-Disclosure] Bypass of Antivirus software with 
> > GDI+ bug exploit Mutations
> > 
> > Bypass of Antivirus software with GDI+ bug exploit Mutations.
> > 
> > HiddenBit.org Security Advisory.
> > 
> > Date: October 14, 2004
> > 
> > Author: Andrey Bayora
> > 
> > 
> > BACKGROUND
> > 
> > While performing research paper for SANS GCIH practice I have 
> > found this issue and it seems to me enough critical to warn 
> > readers about this.
> > 
> > DESCRIPTION
> > 
> > Most Antivirus software can't detect Mutations of GDI+ exploit.
> > 
> > ANALYSIS
> > 
> > 1) Most Antivirus vendors issues virus definitions for known 
> > exploit code [1] witch uses \xFF\xFE\x00\x01 string for 
> > buffer overflow.
> > >From the Snort rule [2] you can learn that there are 7 
> more variants
> > to produce this buffer overflow in GDI+.
> > 
> > So, by changing \xFE to one of this - \xE1, \xE2, \xED  
> > and\or by changing \x01 to \x00 this exploit will be 
> > UNDETECTED by many antiviruses (list attached).
> > 
> > 2) While original exploit code use buffer overflow string 
> > near the BEGINNING of the image file (after \xFF\xE0 , 
> > \xFF\xEC and \xFF\xEE markers), I was able to create image 
> > with buffer overflow string at the MIDDLE of the file.
> > 
> > 3) By combining various strings from methods described under 
> > 1) and 2) and by placing them in different locations in the 
> > image file I was able to bypass various antivirus products.
> > 
> > 
> > FIX
> > 
> > 1) Patch vulnerable systems.
> > 2) If your antivirus didn't detect these variants - block 
> > JPEG (xFFD8).
> > 
> > 
> > DEMO
> > 
> > http://www.hiddenbit.org/demo_files/jpeg.zip
> > 
> > 1) In the 1.jpg file the \xFE string was substituted to \xE1.
> >                   WARNING ! THIS IS COMPILED PROOF OF CONCEPT
> >                            FROM [1] THAT WILL CONNECT BACK TO
> >                            VULNERABLE MACHINE TO 127.0.0.1 AT
> >                            PORT 777 ( run: nc -l -p 777 ).
> > 2) In the 2.jpg the buffer overflow string at offset x22F0 
> > (string that begins with \xFF\xED).
> >                   THIS IS JUST AN IMAGE WITH BUFFER OVERFLOW.
> > 3) This is results from [3] :
> > For 1.jpg
> > 
> > Results of a file scan
> > This is the report of the scanning done over "1.jpg" (see 
> > Demo section) file that VirusTotal processed on 10/13/2004 at 
> > 18:54:56.
> > Antivirus Version Update Result
> > BitDefender 7.0                10.12.2004 -
> > ClamWin devel-20040922         10.12.2004 -
> > eTrust-Iris 7.1.194.0          10.13.2004 -
> > F-Prot 3.15b                   10.13.2004 -
> > Kaspersky 4.0.2.24             10.13.2004 -
> > McAfee 4398                    10.13.2004 Exploit-MS04-028
> > NOD32v2 1.893                  10.13.2004 -
> > Norman 5.70.10                 10.12.2004 -
> > Panda 7.02.00                  10.13.2004 -
> > Sybari 7.5.1314                10.13.2004 -
> > Symantec 8.0                   10.12.2004 Backdoor.Roxe
> > TrendMicro 7.000               10.12.2004 Exploit-MS04-028
> > 
> > For 2.jpg
> > 
> > Results of a file scan
> > This is the report of the scanning done over "2.jpg" file 
> > that VirusTotal processed on 10/13/2004 at 18:56:32.
> > Antivirus Version Update Result
> > BitDefender 7.0            10.12.2004 -
> > ClamWin devel-20040922     10.12.2004 -
> > eTrust-Iris 7.1.194.0      10.13.2004 -
> > F-Prot 3.15b               10.13.2004 -
> > Kaspersky 4.0.2.24         10.13.2004 -
> > McAfee 4398                10.13.2004 Exploit-MS04-028
> > NOD32v2 1.893              10.13.2004 -
> > Norman 5.70.10             10.12.2004 -
> > Panda 7.02.00              10.13.2004 -
> > Sybari 7.5.1314            10.13.2004 -
> > Symantec 8.0               10.12.2004 Bloodhound.Exploit.13
> > TrendMicro 7.000           10.12.2004 Exploit-MS04-028
> > 
> > 
> > Only "The BIG 3" was able to detect those variants.
> > 
> > More complete research will be published in my SANS GCIH paper.
> > 
> > 
> > Reference :
> > 
> > [1] www.k-otik.com
> > [2] http://www.snort.org/snort-db/sid.html?sid=2705
> > [3] www.virustotal.com
> > 
> > 
> > 
> > **********************************************************
> > HiddenBit.org is non-profit Israel security research team.
> > 
> > 
> > 
> > --------------------------------------------------------------
> > Disclaimer
> > 
> > The information within this advisory may change without 
> > notice. There are no warranties, implied or express, with 
> > regard to this information.
> > In no event shall the author be liable for any direct or 
> > indirect damages whatever arising out or in connection with 
> > the use or spread of this information. Any use of this 
> > information is at the user's own risk.
> > 
> > 
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ