Full Disclosure mailing list archives
Re: Multi-vendor AV gateway image inspection bypass vulnerability
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 12 Jan 2005 22:24:40 -0600
On Wed, 2005-01-12 at 19:27 -0800, Steven Rakick wrote:
First off, this technique doesn't add an additional layer of user interaction like zipping a file and/or password protecting it.
No, I meant zip encoding as in gzip'ed web content. I wasn't referring to ZIP archives user have to open.
This evening I noticed that my CheckPoint Firewall-1 (with SmartDefense) now has a new option to "Block Encoded Images". It doesn't actually detect the exploit code, but at least someones starting to at least give you an option to defend yourself by blocking RFC 2397 formatted images.
Any idea how it does that? Does it look for encoding patterns or does it decode and then check? The later might have an adverse performance impact on busy sites. Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Multi-vendor AV gateway image inspection bypass vulnerability Darren Bounds (Jan 10)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Jeff Gillian (Jan 11)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability - KMail Noam Rathaus (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Danny (Jan 11)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Darren Bounds (Jan 11)
- <Possible follow-ups>
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 11)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Nils Ketelsen (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Frank Knobbe (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Frank Knobbe (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Jeff Gillian (Jan 11)