Full Disclosure mailing list archives
RE: [security] Mozilla Foundation GIF Overflow
From: Steven Rakick <stevenrakick () yahoo com>
Date: Mon, 28 Mar 2005 10:54:38 -0800 (PST)
Hi Richard, Thanks for the email. Based on what you're saying, things have changed then since: http://xforce.iss.net/xforce/xfdb/18882. In that URL, Proventia A, G and M series are listed as affected. I'm not quite sure why it would affect the AV engine, but not the IPS engine unless you're looking at the content in a different manner. Can you explain what you're doing differrently now? Are you inspecting all RFC 2397 embedded data? Steve --- "Armstrong, Richard (ISS Texas)" <rarmstrong () iss net> wrote:
The trick below is a way to get around AV Gateways but not Intrusion Prevention Systems. The M Series is our multi function box. So while the GIF would have made if pass the AV Gateway module it would not have made it past the IPS module. The FW and IPS module come with all M Series appliances for free. Our A and G Series appliances do not have AV Gateways and were not vulnerable to the below. R Richard Armstrong, CISSP Director Systems Engineering Western Region Internet Security Systems Mobile: 469-556-5513 rarmstrong () iss net -----Original Message----- From: security-bounces () lists seifried org [mailto:security-bounces () lists seifried org] On Behalf Of Steven Rakick Sent: Friday, March 25, 2005 2:40 PM To: full-disclosure () lists grok org uk Subject: [security] [Full-disclosure] Mozilla Foundation GIF Overflow Hi all, I was just glancing at the Internet Security Systems website and I noticed the following statement "ISS provides Ahead of the Threat protection for Mozilla and Firefox Browsers". Clicking the related link they mention that ISS Network Sensor 7.0, Proventia A and G100, G400, G200, G1200, G2000 and M series all provide "preemptive protection for these vulnerabilities". I remember a couple months ago, Darren Bounds from Intrusense released an advisory regarding weak support for inspecting base64 encoded images in AV, IDS and IPS technologies (ISS being one of the them). (Advisory:
http://www.intrusense.com/av-bypass/image-bypass-advisory.txt)
My question is this. Did ISS ever add support for detecting this RFC 2397 images or are they going to pass through undetected? Mozilla and Firefox both support this spec so it seems like a very trivial attack vector to exploit... once again. Also, what other vendors have now added support for RFC 2397 inspection? Any insight would be greatly appreciated. Steve __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ _______________________________________________ Full-Disclosure - We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ security mailing list security () lists seifried org http://lists.seifried.org/mailman/listinfo/security
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: [security] Mozilla Foundation GIF Overflow Steven Rakick (Mar 28)
- <Possible follow-ups>
- RE: [security] Mozilla Foundation GIF Overflow Armstrong, Richard (ISS Texas) (Mar 28)