RE: Bypass of Antivirus software with GDI+ bug exploit Mutations

["Cassidy Macfarlane" <cmacfarlane () Drummond-Miller co uk>]

Symantec Enterprise 8.1:

Your attachment "JPEG.zip" contained viruses:
         "Backdoor.Roxe" at location "1.jpg", 
         and "Bloodhound.Exploit.13" at location "2.jpg".

-----Original Message-----
From: Todd Towles [mailto:toddtowles () brookshires com] 
Sent: 14 October 2004 14:10
To: Andrey Bayora; full-disclosure () lists netsys com
Cc: bugtraq () securityfocus com
Subject: RE: [Full-disclosure] Bypass of Antivirus software with GDI+
bug exploit Mutations


TrendMicro sees it as a MS04-028 exploit 

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
> Andrey Bayora
> Sent: Thursday, October 14, 2004 2:46 AM
> To: full-disclosure () lists netsys com
> Cc: bugtraq () securityfocus com
> Subject: [Full-disclosure] Bypass of Antivirus software with 
> GDI+ bug exploit Mutations
>
> Bypass of Antivirus software with GDI+ bug exploit Mutations.
>
> HiddenBit.org Security Advisory.
>
> Date: October 14, 2004
>
> Author: Andrey Bayora
>
>
> BACKGROUND
>
> While performing research paper for SANS GCIH practice I have 
> found this issue and it seems to me enough critical to warn 
> readers about this.
>
> DESCRIPTION
>
> Most Antivirus software can't detect Mutations of GDI+ exploit.
>
> ANALYSIS
>
> 1) Most Antivirus vendors issues virus definitions for known 
> exploit code [1] witch uses \xFF\xFE\x00\x01 string for 
> buffer overflow.
> > From the Snort rule [2] you can learn that there are 7 more variants
> to produce this buffer overflow in GDI+.
>
> So, by changing \xFE to one of this - \xE1, \xE2, \xED  
> and\or by changing \x01 to \x00 this exploit will be 
> UNDETECTED by many antiviruses (list attached).
>
> 2) While original exploit code use buffer overflow string 
> near the BEGINNING of the image file (after \xFF\xE0 , 
> \xFF\xEC and \xFF\xEE markers), I was able to create image 
> with buffer overflow string at the MIDDLE of the file.
>
> 3) By combining various strings from methods described under 
> 1) and 2) and by placing them in different locations in the 
> image file I was able to bypass various antivirus products.
>
>
> FIX
>
> 1) Patch vulnerable systems.
> 2) If your antivirus didn't detect these variants - block 
> JPEG (xFFD8).
>
>
> DEMO
>
> http://www.hiddenbit.org/demo_files/jpeg.zip
>
> 1) In the 1.jpg file the \xFE string was substituted to \xE1.
>                   WARNING ! THIS IS COMPILED PROOF OF CONCEPT
>                            FROM [1] THAT WILL CONNECT BACK TO
>                            VULNERABLE MACHINE TO 127.0.0.1 AT
>                            PORT 777 ( run: nc -l -p 777 ).
> 2) In the 2.jpg the buffer overflow string at offset x22F0 
> (string that begins with \xFF\xED).
>                   THIS IS JUST AN IMAGE WITH BUFFER OVERFLOW.
> 3) This is results from [3] :
> For 1.jpg
>
> Results of a file scan
> This is the report of the scanning done over "1.jpg" (see 
> Demo section) file that VirusTotal processed on 10/13/2004 at 
> 18:54:56.
> Antivirus Version Update Result
> BitDefender 7.0                10.12.2004 -
> ClamWin devel-20040922         10.12.2004 -
> eTrust-Iris 7.1.194.0          10.13.2004 -
> F-Prot 3.15b                   10.13.2004 -
> Kaspersky 4.0.2.24             10.13.2004 -
> McAfee 4398                    10.13.2004 Exploit-MS04-028
> NOD32v2 1.893                  10.13.2004 -
> Norman 5.70.10                 10.12.2004 -
> Panda 7.02.00                  10.13.2004 -
> Sybari 7.5.1314                10.13.2004 -
> Symantec 8.0                   10.12.2004 Backdoor.Roxe
> TrendMicro 7.000               10.12.2004 Exploit-MS04-028
>
> For 2.jpg
>
> Results of a file scan
> This is the report of the scanning done over "2.jpg" file 
> that VirusTotal processed on 10/13/2004 at 18:56:32.
> Antivirus Version Update Result
> BitDefender 7.0            10.12.2004 -
> ClamWin devel-20040922     10.12.2004 -
> eTrust-Iris 7.1.194.0      10.13.2004 -
> F-Prot 3.15b               10.13.2004 -
> Kaspersky 4.0.2.24         10.13.2004 -
> McAfee 4398                10.13.2004 Exploit-MS04-028
> NOD32v2 1.893              10.13.2004 -
> Norman 5.70.10             10.12.2004 -
> Panda 7.02.00              10.13.2004 -
> Sybari 7.5.1314            10.13.2004 -
> Symantec 8.0               10.12.2004 Bloodhound.Exploit.13
> TrendMicro 7.000           10.12.2004 Exploit-MS04-028
>
>
> Only "The BIG 3" was able to detect those variants.
>
> More complete research will be published in my SANS GCIH paper.
>
>
> Reference :
>
> [1] www.k-otik.com
> [2] http://www.snort.org/snort-db/sid.html?sid=2705
> [3] www.virustotal.com
>
>
>
> **********************************************************
> HiddenBit.org is non-profit Israel security research team.
>
>
>
> --------------------------------------------------------------
> Disclaimer
>
> The information within this advisory may change without 
> notice. There are no warranties, implied or express, with 
> regard to this information.
> In no event shall the author be liable for any direct or 
> indirect damages whatever arising out or in connection with 
> the use or spread of this information. Any use of this 
> information is at the user's own risk.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html