lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1097739981.416e2ecd15fad@www.hiddenbit.org>
From: andrey at hiddenbit.org (Andrey Bayora)
Subject: Bypass of Antivirus software with GDI+ bug exploit Mutations

Bypass of Antivirus software with GDI+ bug exploit Mutations.

HiddenBit.org Security Advisory.

Date: October 14, 2004

Author: Andrey Bayora


BACKGROUND

While performing research paper for SANS GCIH practice I have found
this issue and it seems to me enough critical to warn readers
about this.

DESCRIPTION

Most Antivirus software can?t detect Mutations of GDI+ exploit.

ANALYSIS

1) Most Antivirus vendors issues virus definitions for known exploit
code [1] witch uses \xFF\xFE\x00\x01 string for buffer overflow.
>From the Snort rule [2] you can learn that there are 7 more variants
to produce this buffer overflow in GDI+.

So, by changing \xFE to one of this - \xE1, \xE2, \xED  and\or by
changing \x01 to \x00 this exploit will be UNDETECTED by many
antiviruses (list attached).

2) While original exploit code use buffer overflow string near the
BEGINNING of the image file (after \xFF\xE0 ,
\xFF\xEC and \xFF\xEE markers), I was able
to create image with buffer overflow string at the MIDDLE of the file.

3) By combining various strings from methods described under 1) and 2)
and by placing them in different locations in the image file I was
able to bypass various antivirus products.


FIX

1) Patch vulnerable systems.
2) If your antivirus didn?t detect these variants ? block JPEG (xFFD8).


DEMO

http://www.hiddenbit.org/demo_files/jpeg.zip

1) In the 1.jpg file the \xFE string was substituted to \xE1.
                  WARNING ! THIS IS COMPILED PROOF OF CONCEPT
                           FROM [1] THAT WILL CONNECT BACK TO
                           VULNERABLE MACHINE TO 127.0.0.1 AT
                           PORT 777 ( run: nc ?l ?p 777 ).
2) In the 2.jpg the buffer overflow string at offset x22F0 (string that
begins with \xFF\xED).
                  THIS IS JUST AN IMAGE WITH BUFFER OVERFLOW.
3) This is results from [3] :
For 1.jpg

Results of a file scan
This is the report of the scanning done over "1.jpg" (see Demo section)
file that VirusTotal processed on 10/13/2004 at 18:54:56.
Antivirus Version Update Result
BitDefender 7.0                10.12.2004 -
ClamWin devel-20040922         10.12.2004 -
eTrust-Iris 7.1.194.0          10.13.2004 -
F-Prot 3.15b                   10.13.2004 -
Kaspersky 4.0.2.24             10.13.2004 -
McAfee 4398                    10.13.2004 Exploit-MS04-028
NOD32v2 1.893                  10.13.2004 -
Norman 5.70.10                 10.12.2004 -
Panda 7.02.00                  10.13.2004 -
Sybari 7.5.1314                10.13.2004 -
Symantec 8.0                   10.12.2004 Backdoor.Roxe
TrendMicro 7.000               10.12.2004 Exploit-MS04-028

For 2.jpg

Results of a file scan
This is the report of the scanning done over "2.jpg" file that
VirusTotal processed on 10/13/2004 at 18:56:32.
Antivirus Version Update Result
BitDefender 7.0            10.12.2004 -
ClamWin devel-20040922     10.12.2004 -
eTrust-Iris 7.1.194.0      10.13.2004 -
F-Prot 3.15b               10.13.2004 -
Kaspersky 4.0.2.24         10.13.2004 -
McAfee 4398                10.13.2004 Exploit-MS04-028
NOD32v2 1.893              10.13.2004 -
Norman 5.70.10             10.12.2004 -
Panda 7.02.00              10.13.2004 -
Sybari 7.5.1314            10.13.2004 -
Symantec 8.0               10.12.2004 Bloodhound.Exploit.13
TrendMicro 7.000           10.12.2004 Exploit-MS04-028


Only ?The BIG 3? was able to detect those variants.

More complete research will be published in my SANS GCIH paper.


Reference :

[1] www.k-otik.com
[2] http://www.snort.org/snort-db/sid.html?sid=2705
[3] www.virustotal.com



**********************************************************
HiddenBit.org is non-profit Israel security research team.



--------------------------------------------------------------
Disclaimer

The information within this advisory may change without notice. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatever arising out or in connection with the use or spread of
this information. Any use of this information is at the user's own risk.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ