Full Disclosure mailing list archives
Re: Multi-vendor AV gateway image inspection bypass vulnerability
From: Steven Rakick <stevenrakick () yahoo com>
Date: Wed, 12 Jan 2005 19:27:20 -0800 (PST)
I see a distinct difference here. First off, this technique doesn't add an additional layer of user interaction like zipping a file and/or password protecting it. Secondly, other techniques don't completely obsure the content or content header from the inspection mechanism. Now for the actual reason for this email. This evening I noticed that my CheckPoint Firewall-1 (with SmartDefense) now has a new option to "Block Encoded Images". It doesn't actually detect the exploit code, but at least someones starting to at least give you an option to defend yourself by blocking RFC 2397 formatted images. --- Frank Knobbe <frank () knobbe us> wrote:
On Wed, 2005-01-12 at 12:37 -0800, Steven Rakick wrote:This would mean that if an image exploiting the recently announced Microsoft LoadImage APIoverflowwere imbedded into HTML email there would be zero defense from the network layer as it would be completely invisible. Why am I not seeing more about this in the press?Itseems pretty threatening to me...Because it's old news from a network layer perspective. Images, emails, etc can also be transferred zipped or encoded in base64 and what not. Lots of IPS/IDS/AV and other gateway devices miss these encoded files. The only novel approach I can see here is the embedding of the data together with type and encoding in the URL. Nice idea. $20 says spyware/spam/porn/phishing sites will adopt this fairly soon. Regards, Frank
ATTACHMENT part 2 application/pgp-signature
name=signature.asc __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Multi-vendor AV gateway image inspection bypass vulnerability Darren Bounds (Jan 10)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Jeff Gillian (Jan 11)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability - KMail Noam Rathaus (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Danny (Jan 11)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Darren Bounds (Jan 11)
- <Possible follow-ups>
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 11)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Nils Ketelsen (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Frank Knobbe (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Frank Knobbe (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Jeff Gillian (Jan 11)