RE: [Full-Disclosure] Bypass of Antivirus software with GDI+ bug exploit Mutations

• Previous message: Luke Macken: "[Full-Disclosure] [ GLSA 200410-12 ] WordPress: HTTP response splitting and XSS vulnerabilities"
• Maybe in reply to: Andrey Bayora: "[Full-Disclosure] Bypass of Antivirus software with GDI+ bug exploit Mutations"
• Next in thread: Cassidy Macfarlane: "RE: [Full-Disclosure] Bypass of Antivirus software with GDI+ bug exploit Mutations"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Andrey Bayora" <andrey@hiddenbit.org>, <full-disclosure@lists.netsys.com>
Date: Thu, 14 Oct 2004 08:09:54 -0500

TrendMicro sees it as a MS04-028 exploit

> -----Original Message-----
> From: full-disclosure-admin@lists.netsys.com
> [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of
> Andrey Bayora
> Sent: Thursday, October 14, 2004 2:46 AM
> To: full-disclosure@lists.netsys.com
> Cc: bugtraq@securityfocus.com
> Subject: [Full-Disclosure] Bypass of Antivirus software with
> GDI+ bug exploit Mutations
>
> Bypass of Antivirus software with GDI+ bug exploit Mutations.
>
> HiddenBit.org Security Advisory.
>
> Date: October 14, 2004
>
> Author: Andrey Bayora
>
>
> BACKGROUND
>
> While performing research paper for SANS GCIH practice I have
> found this issue and it seems to me enough critical to warn
> readers about this.
>
> DESCRIPTION
>
> Most Antivirus software can't detect Mutations of GDI+ exploit.
>
> ANALYSIS
>
> 1) Most Antivirus vendors issues virus definitions for known
> exploit code [1] witch uses \xFF\xFE\x00\x01 string for
> buffer overflow.
> >From the Snort rule [2] you can learn that there are 7 more variants
> to produce this buffer overflow in GDI+.
>
> So, by changing \xFE to one of this - \xE1, \xE2, \xED
> and\or by changing \x01 to \x00 this exploit will be
> UNDETECTED by many antiviruses (list attached).
>
> 2) While original exploit code use buffer overflow string
> near the BEGINNING of the image file (after \xFF\xE0 ,
> \xFF\xEC and \xFF\xEE markers), I was able to create image
> with buffer overflow string at the MIDDLE of the file.
>
> 3) By combining various strings from methods described under
> 1) and 2) and by placing them in different locations in the
> image file I was able to bypass various antivirus products.
>
>
> FIX
>
> 1) Patch vulnerable systems.
> 2) If your antivirus didn't detect these variants - block
> JPEG (xFFD8).
>
>
> DEMO
>
> http://www.hiddenbit.org/demo_files/jpeg.zip
>
> 1) In the 1.jpg file the \xFE string was substituted to \xE1.
> WARNING ! THIS IS COMPILED PROOF OF CONCEPT
> FROM [1] THAT WILL CONNECT BACK TO
> VULNERABLE MACHINE TO 127.0.0.1 AT
> PORT 777 ( run: nc -l -p 777 ).
> 2) In the 2.jpg the buffer overflow string at offset x22F0
> (string that begins with \xFF\xED).
> THIS IS JUST AN IMAGE WITH BUFFER OVERFLOW.
> 3) This is results from [3] :
> For 1.jpg
>
> Results of a file scan
> This is the report of the scanning done over "1.jpg" (see
> Demo section) file that VirusTotal processed on 10/13/2004 at
> 18:54:56.
> Antivirus Version Update Result
> BitDefender 7.0 10.12.2004 -
> ClamWin devel-20040922 10.12.2004 -
> eTrust-Iris 7.1.194.0 10.13.2004 -
> F-Prot 3.15b 10.13.2004 -
> Kaspersky 4.0.2.24 10.13.2004 -
> McAfee 4398 10.13.2004 Exploit-MS04-028
> NOD32v2 1.893 10.13.2004 -
> Norman 5.70.10 10.12.2004 -
> Panda 7.02.00 10.13.2004 -
> Sybari 7.5.1314 10.13.2004 -
> Symantec 8.0 10.12.2004 Backdoor.Roxe
> TrendMicro 7.000 10.12.2004 Exploit-MS04-028
>
> For 2.jpg
>
> Results of a file scan
> This is the report of the scanning done over "2.jpg" file
> that VirusTotal processed on 10/13/2004 at 18:56:32.
> Antivirus Version Update Result
> BitDefender 7.0 10.12.2004 -
> ClamWin devel-20040922 10.12.2004 -
> eTrust-Iris 7.1.194.0 10.13.2004 -
> F-Prot 3.15b 10.13.2004 -
> Kaspersky 4.0.2.24 10.13.2004 -
> McAfee 4398 10.13.2004 Exploit-MS04-028
> NOD32v2 1.893 10.13.2004 -
> Norman 5.70.10 10.12.2004 -
> Panda 7.02.00 10.13.2004 -
> Sybari 7.5.1314 10.13.2004 -
> Symantec 8.0 10.12.2004 Bloodhound.Exploit.13
> TrendMicro 7.000 10.12.2004 Exploit-MS04-028
>
>
> Only "The BIG 3" was able to detect those variants.
>
> More complete research will be published in my SANS GCIH paper.
>
>
> Reference :
>
> [1] www.k-otik.com
> [2] http://www.snort.org/snort-db/sid.html?sid=2705
> [3] www.virustotal.com
>
>
>
> **********************************************************
> HiddenBit.org is non-profit Israel security research team.
>
>
>
> --------------------------------------------------------------
> Disclaimer
>
> The information within this advisory may change without
> notice. There are no warranties, implied or express, with
> regard to this information.
> In no event shall the author be liable for any direct or
> indirect damages whatever arising out or in connection with
> the use or spread of this information. Any use of this
> information is at the user's own risk.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Luke Macken: "[Full-Disclosure] [ GLSA 200410-12 ] WordPress: HTTP response splitting and XSS vulnerabilities"
• Maybe in reply to: Andrey Bayora: "[Full-Disclosure] Bypass of Antivirus software with GDI+ bug exploit Mutations"
• Next in thread: Cassidy Macfarlane: "RE: [Full-Disclosure] Bypass of Antivirus software with GDI+ bug exploit Mutations"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]