Re: Multi-vendor AV gateway image inspection bypass vulnerability

[Frank Knobbe <frank () knobbe us>]

On Wed, 2005-01-12 at 12:37 -0800, Steven Rakick wrote:
> This would mean that if an image exploiting the
> recently announced Microsoft LoadImage API overflow
> were imbedded into HTML email there would be zero
> defense from the network layer as it would be
> completely invisible.
>
> Why am I not seeing more about this in the press? It
> seems pretty threatening to me...

Because it's old news from a network layer perspective. Images, emails,
etc can also be transferred zipped or encoded in base64 and what not.
Lots of IPS/IDS/AV and other gateway devices miss these encoded files.

The only novel approach I can see here is the embedding of the data
together with type and encoding in the URL. Nice idea. $20 says
spyware/spam/porn/phishing sites will adopt this fairly soon.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html