Re: [Full-Disclosure] [ GLSA 200501-46 ] ClamAV: Multiple issues

From: Darren Bounds (lists_at_intrusense.com)
Date: 02/02/05

  • Next message: Martin Pitt: "[Full-Disclosure] [USN-72-1] Perl vulnerabilities"
    Date: Wed, 2 Feb 2005 08:33:18 -0500
    To: Dack <dackbug@ereomega.net>
    
    

    Dack,

    That depends on the payload. While browsers like Thunderbird, Mail.app
    and Opera mail and Konquer will render RFC 2397 formatted images, only
    Opera mail supports and executes RFC 2397 formatted application data.
    IE does not support for RFC 2397, hense neither does Outlook.

    Please be advised that this issue does not only affect AV systems, but
    also IDS and IPS technologies. Since my original advisory Jan 10th,
    (www.intrusense.com/av-bypass/image-bypass-advisory.txt), CheckPoint,
    TippingPoint and ClamAV have added support to either detect malicious
    RFC 2397 formatted content, or flat out block it. There's certainly
    room for improvement, but it's a start.

    Here is the response from Trend, dated Jan 24th, 2005:

    Dear Darren,

    Here is the Official Statement from our Scan Engine Team.
    1. Explanation of the vulnerability

    This vulnerability arise because our products (and this includes the
    engine) does not support RFC 2397 (The "data" URL scheme). This RFC
    permits the embedding of files (be it a JPEG, EXE, or other files) in
    an HTML file. A file can be embedded in an HTML file by encoding it
    using base64.

    This was tested using a JPEG file and an EICAR file. The JPEG file is
    detected as EXPL_MS04-028.A, but when embedded in an HTML, the JPEG
    file is not detected. The embedded EICAR file is also not detected.

    Link to the original FD post.
    <http://lists.netsys.com/pipermail/full-disclosure/2005-January/
    030724.html>

    2. How it affects the Trend Products

    Trend Micro Products cannot not detect images, or any malicious files,
    encoded in base64 that are embedded in HTML files (in accordance with
    RFC 2397).

    3. How do we solve it.

    - Ask users to apply the patch.
    - We can create file-specific signatures for any threat that uses this
    vulnerability
    - Scan Engine update to support RFC 2397

    4. Schedules of releases, milestones, etc

    - File-specific detection is already available anytime but it is sample
    dependent. We need to have a sample before we can create a solution.
    - Scan Engine development to fix this will start very soon. We are
    estimating around 4-6 weeks development. Ill get back to you on the
    exact schedule.

    Thank you,

    Darren Bounds
    Intrusense LLC.
    http://www.intrusense.com

    --
    Intrusense - Securing Business As Usual
    On Feb 1, 2005, at 5:41 PM, Dack wrote:
    >>> By sending a base64 encoded image file in a URL an attacker could  
    >>> evade
    >>> virus scanning.
    >> It's somewhat harsh to single out ClamAV for this issue. AFAICT, the
    >> only two virus scanners that do currently protect against this are
    >
    > What mail clients, if any, would execute a virus encoded in this  
    > manner?
    > Is this a gaping hole in other mail anti-virus systems, or do most
    > clients just ignore this kind of data?
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Martin Pitt: "[Full-Disclosure] [USN-72-1] Perl vulnerabilities"

    Relevant Pages