RE: [security] Mozilla Foundation GIF Overflow

["Armstrong, Richard (ISS Texas)" <rarmstrong () iss net>]

Good point Steven so I got the answer for you.

We added support for RFC 2397 in our January 2005 update.  XPU
23.2/1.39.  The readme included this text:

"Added support for parsing images transferred using RFC 2397 encoding" 

=-=-=-

An advisory released by Secunia yesterday references a potential malware
detection bypass issue.  If a customer asks whether ISS products are
affected or how we are addressing the issue, please provide them with
the following information:

ISS has evaluated information regarding the image transfer vector
associated with RFC2397.  This RFC contains a standard for embedding
pictures within an HTML file.  Internet Explorer does not support this
standard and will not attempt to render such an image, thus IE will not
enable exploitation via an imbedded malicious image file.  Although
Internet Explorer does not support this RFC, thus lowering the risk of
associated protection bypass, it has been adopted by other browser
software.  Because of this, ISS will be adding support for RFC2397 in
the upcoming XPU due to release the first of next week.  
=-=-=-

Hope this helps.  

Richard Armstrong

-----Original Message-----
From: Steven Rakick [mailto:stevenrakick () yahoo com] 
Sent: Monday, March 28, 2005 12:55 PM
To: Armstrong, Richard (ISS Texas)
Cc: full-disclosure () lists grok org uk
Subject: RE: [security] [Full-disclosure] Mozilla Foundation GIF
Overflow

Hi Richard, 

Thanks for the email.

Based on what you're saying, things have changed then
since: http://xforce.iss.net/xforce/xfdb/18882.  In that URL, Proventia
A, G and M series are listed as affected.

I'm not quite sure why it would affect the AV engine, but not the IPS
engine unless you're looking at the content in a different manner. Can
you explain what you're doing differrently now? Are you inspecting all
RFC 2397 embedded data? 

Steve

--- "Armstrong, Richard (ISS Texas)"
<rarmstrong () iss net> wrote:
> The trick below is a way to get around AV Gateways but not Intrusion 
> Prevention Systems.  The M Series is our multi function box.  So while

> the GIF would have made if pass the AV Gateway module it would not 
> have made it past the IPS module.  The FW and IPS module come with all

> M Series appliances for free.
>
> Our A and G Series appliances do not have AV Gateways and were not 
> vulnerable to the below.
>
> R
>
> Richard Armstrong, CISSP
> Director Systems Engineering
> Western Region
> Internet Security Systems
> Mobile: 469-556-5513
> rarmstrong () iss net
>
>  
>
> -----Original Message-----
> From: security-bounces () lists seifried org
> [mailto:security-bounces () lists seifried org] On Behalf Of Steven 
> Rakick
> Sent: Friday, March 25, 2005 2:40 PM
> To: full-disclosure () lists grok org uk
> Subject: [security] [Full-disclosure] Mozilla Foundation GIF Overflow
>
> Hi all,
>
> I was just glancing at the Internet Security Systems website and I 
> noticed the following statement "ISS provides Ahead of the Threat 
> protection for Mozilla and Firefox Browsers".
>
> Clicking the related link they mention that ISS Network Sensor 7.0, 
> Proventia A and G100, G400, G200, G1200, G2000 and M series all 
> provide "preemptive protection for these vulnerabilities".
>
> I remember a couple months ago, Darren Bounds from Intrusense released

> an advisory regarding weak support for inspecting
> base64 encoded images
> in AV, IDS and IPS technologies (ISS being one of the them).
> (Advisory:
http://www.intrusense.com/av-bypass/image-bypass-advisory.txt)
> My question is this. Did ISS ever add support for detecting this RFC
> 2397 images or are they going to pass through undetected? Mozilla and 
> Firefox both support this spec so it seems like a very trivial attack 
> vector to exploit... once again.
>
> Also, what other vendors have now added support for RFC 2397 
> inspection?
>
>
> Any insight would be greatly appreciated.
>
> Steve
>
>
>
>               
> __________________________________
> Do you Yahoo!? 
> Yahoo! Small Business - Try our new resources site!
> http://smallbusiness.yahoo.com/resources/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
> _______________________________________________
> security mailing list
> security () lists seifried org
> http://lists.seifried.org/mailman/listinfo/security

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/