[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1105570644.793.25.camel@localhost>
From: frank at knobbe.us (Frank Knobbe)
Subject: Multi-vendor AV gateway image inspection
bypass vulnerability
On Wed, 2005-01-12 at 12:37 -0800, Steven Rakick wrote:
> This would mean that if an image exploiting the
> recently announced Microsoft LoadImage API overflow
> were imbedded into HTML email there would be zero
> defense from the network layer as it would be
> completely invisible.
>
> Why am I not seeing more about this in the press? It
> seems pretty threatening to me...
Because it's old news from a network layer perspective. Images, emails,
etc can also be transferred zipped or encoded in base64 and what not.
Lots of IPS/IDS/AV and other gateway devices miss these encoded files.
The only novel approach I can see here is the embedding of the data
together with type and encoding in the URL. Nice idea. $20 says
spyware/spam/porn/phishing sites will adopt this fairly soon.
Regards,
Frank
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050112/4f409ecb/attachment.bin
Powered by blists - more mailing lists