Re: [Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability

• Previous message: Berend-Jan Wever: "[Full-Disclosure] InternetExploiter 3.2"
• In reply to: Frank Knobbe: "Re: [Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability"
• Next in thread: Frank Knobbe: "Re: [Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability"
• Reply: Frank Knobbe: "Re: [Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 12 Jan 2005 19:27:20 -0800 (PST)
To: full-disclosure@lists.netsys.com

I see a distinct difference here.

First off, this technique doesn't add an additional
layer of user interaction like zipping a file and/or
password protecting it.

Secondly, other techniques don't completely obsure the
content or content header from the inspection
mechanism.

Now for the actual reason for this email.

This evening I noticed that my CheckPoint Firewall-1
(with SmartDefense) now has a new option to "Block
Encoded Images". It doesn't actually detect the
exploit code, but at least someones starting to at
least give you an option to defend yourself by
blocking RFC 2397 formatted images.

--- Frank Knobbe <frank@knobbe.us> wrote:

> On Wed, 2005-01-12 at 12:37 -0800, Steven Rakick
> wrote:
> > This would mean that if an image exploiting the
> > recently announced Microsoft LoadImage API
> overflow
> > were imbedded into HTML email there would be zero
> > defense from the network layer as it would be
> > completely invisible.
> >
> > Why am I not seeing more about this in the press?
> It
> > seems pretty threatening to me...
>
> Because it's old news from a network layer
> perspective. Images, emails,
> etc can also be transferred zipped or encoded in
> base64 and what not.
> Lots of IPS/IDS/AV and other gateway devices miss
> these encoded files.
>
> The only novel approach I can see here is the
> embedding of the data
> together with type and encoding in the URL. Nice
> idea. $20 says
> spyware/spam/porn/phishing sites will adopt this
> fairly soon.
>
> Regards,
> Frank
>
>

> ATTACHMENT part 2 application/pgp-signature
name=signature.asc

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Berend-Jan Wever: "[Full-Disclosure] InternetExploiter 3.2"
• In reply to: Frank Knobbe: "Re: [Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability"
• Next in thread: Frank Knobbe: "Re: [Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability"
• Reply: Frank Knobbe: "Re: [Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]