RE: [security] Mozilla Foundation GIF Overflow

[Steven Rakick <stevenrakick () yahoo com>]

Hi Richard, 

Thanks for the email.

Based on what you're saying, things have changed then
since: http://xforce.iss.net/xforce/xfdb/18882.  In
that URL, Proventia A, G and M series are listed as
affected.

I'm not quite sure why it would affect the AV engine,
but not the IPS engine unless you're looking at the
content in a different manner. Can you explain what
you're doing differrently now? Are you inspecting all
RFC 2397 embedded data? 

Steve

--- "Armstrong, Richard (ISS Texas)"
<rarmstrong () iss net> wrote:
> The trick below is a way to get around AV Gateways
> but not Intrusion
> Prevention Systems.  The M Series is our multi
> function box.  So while
> the GIF would have made if pass the AV Gateway
> module it would not have
> made it past the IPS module.  The FW and IPS module
> come with all M
> Series appliances for free.
>
> Our A and G Series appliances do not have AV
> Gateways and were not
> vulnerable to the below.
>
> R
>
> Richard Armstrong, CISSP
> Director Systems Engineering
> Western Region
> Internet Security Systems
> Mobile: 469-556-5513
> rarmstrong () iss net
>
>  
>
> -----Original Message-----
> From: security-bounces () lists seifried org
> [mailto:security-bounces () lists seifried org] On
> Behalf Of Steven Rakick
> Sent: Friday, March 25, 2005 2:40 PM
> To: full-disclosure () lists grok org uk
> Subject: [security] [Full-disclosure] Mozilla
> Foundation GIF Overflow
>
> Hi all,
>
> I was just glancing at the Internet Security Systems
> website and I
> noticed the following statement "ISS provides Ahead
> of the Threat
> protection for Mozilla and Firefox Browsers".
>
> Clicking the related link they mention that ISS
> Network Sensor 7.0,
> Proventia A and G100, G400, G200, G1200, G2000 and M
> series all provide
> "preemptive protection for these vulnerabilities". 
>
> I remember a couple months ago, Darren Bounds from
> Intrusense released
> an advisory regarding weak support for inspecting
> base64 encoded images
> in AV, IDS and IPS technologies (ISS being one of
> the them). 
> (Advisory:
http://www.intrusense.com/av-bypass/image-bypass-advisory.txt)
> My question is this. Did ISS ever add support for
> detecting this RFC
> 2397 images or are they going to pass through
> undetected? Mozilla and
> Firefox both support this spec so it seems like a
> very trivial attack
> vector to exploit... once again. 
>
> Also, what other vendors have now added support for
> RFC 2397 inspection?
>
>
> Any insight would be greatly appreciated.
>
> Steve
>
>
>
>               
> __________________________________
> Do you Yahoo!? 
> Yahoo! Small Business - Try our new resources site!
> http://smallbusiness.yahoo.com/resources/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
> _______________________________________________
> security mailing list
> security () lists seifried org
> http://lists.seifried.org/mailman/listinfo/security

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/