Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Bypass of Antivirus software with GDI+ bug exploit Mutations
From: "Cassidy Macfarlane" <cmacfarlane () Drummond-Miller co uk>
Date: Thu, 14 Oct 2004 16:41:30 +0100

Symantec Enterprise 8.1:

Your attachment "JPEG.zip" contained viruses:
         "Backdoor.Roxe" at location "1.jpg", 
         and "Bloodhound.Exploit.13" at location "2.jpg".

-----Original Message-----
From: Todd Towles [mailto:toddtowles () brookshires com] 
Sent: 14 October 2004 14:10
To: Andrey Bayora; full-disclosure () lists netsys com
Cc: bugtraq () securityfocus com
Subject: RE: [Full-disclosure] Bypass of Antivirus software with GDI+
bug exploit Mutations


TrendMicro sees it as a MS04-028 exploit 

-----Original Message-----
From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
Andrey Bayora
Sent: Thursday, October 14, 2004 2:46 AM
To: full-disclosure () lists netsys com
Cc: bugtraq () securityfocus com
Subject: [Full-disclosure] Bypass of Antivirus software with 
GDI+ bug exploit Mutations

Bypass of Antivirus software with GDI+ bug exploit Mutations.

HiddenBit.org Security Advisory.

Date: October 14, 2004

Author: Andrey Bayora


BACKGROUND

While performing research paper for SANS GCIH practice I have 
found this issue and it seems to me enough critical to warn 
readers about this.

DESCRIPTION

Most Antivirus software can't detect Mutations of GDI+ exploit.

ANALYSIS

1) Most Antivirus vendors issues virus definitions for known 
exploit code [1] witch uses \xFF\xFE\x00\x01 string for 
buffer overflow.
From the Snort rule [2] you can learn that there are 7 more variants
to produce this buffer overflow in GDI+.

So, by changing \xFE to one of this - \xE1, \xE2, \xED  
and\or by changing \x01 to \x00 this exploit will be 
UNDETECTED by many antiviruses (list attached).

2) While original exploit code use buffer overflow string 
near the BEGINNING of the image file (after \xFF\xE0 , 
\xFF\xEC and \xFF\xEE markers), I was able to create image 
with buffer overflow string at the MIDDLE of the file.

3) By combining various strings from methods described under 
1) and 2) and by placing them in different locations in the 
image file I was able to bypass various antivirus products.


FIX

1) Patch vulnerable systems.
2) If your antivirus didn't detect these variants - block 
JPEG (xFFD8).


DEMO

http://www.hiddenbit.org/demo_files/jpeg.zip

1) In the 1.jpg file the \xFE string was substituted to \xE1.
                  WARNING ! THIS IS COMPILED PROOF OF CONCEPT
                           FROM [1] THAT WILL CONNECT BACK TO
                           VULNERABLE MACHINE TO 127.0.0.1 AT
                           PORT 777 ( run: nc -l -p 777 ).
2) In the 2.jpg the buffer overflow string at offset x22F0 
(string that begins with \xFF\xED).
                  THIS IS JUST AN IMAGE WITH BUFFER OVERFLOW.
3) This is results from [3] :
For 1.jpg

Results of a file scan
This is the report of the scanning done over "1.jpg" (see 
Demo section) file that VirusTotal processed on 10/13/2004 at 
18:54:56.
Antivirus Version Update Result
BitDefender 7.0                10.12.2004 -
ClamWin devel-20040922         10.12.2004 -
eTrust-Iris 7.1.194.0          10.13.2004 -
F-Prot 3.15b                   10.13.2004 -
Kaspersky 4.0.2.24             10.13.2004 -
McAfee 4398                    10.13.2004 Exploit-MS04-028
NOD32v2 1.893                  10.13.2004 -
Norman 5.70.10                 10.12.2004 -
Panda 7.02.00                  10.13.2004 -
Sybari 7.5.1314                10.13.2004 -
Symantec 8.0                   10.12.2004 Backdoor.Roxe
TrendMicro 7.000               10.12.2004 Exploit-MS04-028

For 2.jpg

Results of a file scan
This is the report of the scanning done over "2.jpg" file 
that VirusTotal processed on 10/13/2004 at 18:56:32.
Antivirus Version Update Result
BitDefender 7.0            10.12.2004 -
ClamWin devel-20040922     10.12.2004 -
eTrust-Iris 7.1.194.0      10.13.2004 -
F-Prot 3.15b               10.13.2004 -
Kaspersky 4.0.2.24         10.13.2004 -
McAfee 4398                10.13.2004 Exploit-MS04-028
NOD32v2 1.893              10.13.2004 -
Norman 5.70.10             10.12.2004 -
Panda 7.02.00              10.13.2004 -
Sybari 7.5.1314            10.13.2004 -
Symantec 8.0               10.12.2004 Bloodhound.Exploit.13
TrendMicro 7.000           10.12.2004 Exploit-MS04-028


Only "The BIG 3" was able to detect those variants.

More complete research will be published in my SANS GCIH paper.


Reference :

[1] www.k-otik.com
[2] http://www.snort.org/snort-db/sid.html?sid=2705
[3] www.virustotal.com



**********************************************************
HiddenBit.org is non-profit Israel security research team.



--------------------------------------------------------------
Disclaimer

The information within this advisory may change without 
notice. There are no warranties, implied or express, with 
regard to this information.
In no event shall the author be liable for any direct or 
indirect damages whatever arising out or in connection with 
the use or spread of this information. Any use of this 
information is at the user's own risk.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]