|
Full Disclosure
mailing list archives
Re: Multi-vendor AV gateway image inspection bypass vulnerability
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 12 Jan 2005 22:24:40 -0600
On Wed, 2005-01-12 at 19:27 -0800, Steven Rakick wrote:
First off, this technique doesn't add an additional
layer of user interaction like zipping a file and/or
password protecting it.
No, I meant zip encoding as in gzip'ed web content. I wasn't referring
to ZIP archives user have to open.
This evening I noticed that my CheckPoint Firewall-1
(with SmartDefense) now has a new option to "Block
Encoded Images". It doesn't actually detect the
exploit code, but at least someones starting to at
least give you an option to defend yourself by
blocking RFC 2397 formatted images.
Any idea how it does that? Does it look for encoding patterns or does it
decode and then check? The later might have an adverse performance
impact on busy sites.
Cheers,
Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
- Re: Multi-vendor AV gateway image inspection bypass vulnerability, (continued)
| 
Intro
