Full Disclosure mailing list archives
Re: FW: JPEG AV Detection
From: Gerry Eisenhaur <GEisenhaur () Cisco com>
Date: Tue, 28 Sep 2004 16:44:01 -0400
After looking in to what the AV companies base their signature on, it appears that they use the \xff\xfe\x00\x00 or \xff\xfe\x00\x01 string in the vulnerable JPEG. If you change the size to a valid size, the AV is not triggered.
I know there is some talk about other sections being vulnerable to overflow as well, I have not look into this yet so I can not be sure. If it is true, I wonder if the AV companies are aware/detect the possible new exploits.
Anyone else have any input? /gerry Todd Towles wrote:
What exactly are the AV products detecting in the JPEG exploits? Barry and I was talking about how impressed we were that the AV companies jumped on this one and detection was pretty fast. But is the detection so generic that a variant will bypass? Is the detection based on a original exploit that could be modified in a way that makes it "undetectable" right now? -Todd -----Original Message-----From: Barry Fitzgerald [mailto:bkfsec () sdf lonestar org] Sent: Tuesday, September 28, 2004 1:55 PMTo: Todd Towles Subject: Re: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 msgs Todd Towles wrote:Yep, really surprised. Just hopefully the invalid data that is being detected can't be changed or worked in a work that would bypass normal detection. Once the file is renamed to a BMP or a GIF, you confuse the whole thing even more.Are the AV products hitting on a part of the original exploit? Can thispart be changed in a future version to make it "undetectable". I am very impressed at the work of the AV companines on this one, but I alsoknow that is this detection is too simple, that it will be bypassed.I'm not sure what they're specifically detecting. This may be a good question for the list. -Barry _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- Gerald Eisenhaur Cisco Systems, Inc. 1414 Massachusetts Ave. Boxborough, Massachusetts 01719 voice: 978.936.0465 geisenhaur () cisco com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- FW: JPEG AV Detection Todd Towles (Sep 28)
- Re: FW: JPEG AV Detection Gerry Eisenhaur (Sep 28)
- RE: JPEG AV Detection Bojan Zdrnja (Sep 29)
- <Possible follow-ups>
- RE: FW: JPEG AV Detection Aaron Horst (Sep 28)
- RE: FW: JPEG AV Detection Todd Towles (Sep 28)