Re: Multi-vendor AV gateway image inspection bypass vulnerability

[Frank Knobbe <frank () knobbe us>]

On Wed, 2005-01-12 at 19:27 -0800, Steven Rakick wrote:
> First off, this technique doesn't add an additional
> layer of user interaction like zipping a file and/or
> password protecting it.

No, I meant zip encoding as in gzip'ed web content. I wasn't referring
to ZIP archives user have to open.

> This evening I noticed that my CheckPoint Firewall-1
> (with SmartDefense) now has a new option to "Block
> Encoded Images".  It doesn't actually detect the
> exploit code, but at least someones starting to at
> least give you an option to defend yourself by
> blocking RFC 2397 formatted images.

Any idea how it does that? Does it look for encoding patterns or does it
decode and then check? The later might have an adverse performance
impact on busy sites.

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html