Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Full-Disclosure] JPEG AV Detection

from [Bojan Zdrnja] Network Security [Permanent Link]
Subject: RE: [Full-Disclosure] JPEG AV Detection
Date: Wed, 29 Sep 2004 19:45:30 +1200 
 


-----Original Message-----
From: full-disclosure-admin@lists.netsys.com 
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of 
Todd Towles
Sent: Wednesday, 29 September 2004 7:26 a.m.
To: Mailing List - Full-Disclosure
Subject: FW: [Full-Disclosure] JPEG AV Detection

 What exactly are the AV products detecting in the JPEG exploits? Barry
and I was talking about how impressed we were that the AV companies
jumped on this one and detection was pretty fast. But is the detection
so generic that a variant will bypass? Is the detection based on a
original exploit that could be modified in a way that makes it
"undetectable" right now?


If they are any decent then they'll check for incorrect values in comment
size fields. It's very easy to detect it since value has to be 0 or 1 in
order to exploit the vulnerability.
A little problem is that comment size field can be in any section of the
JPEG, not just at the beginning (as in the original exploit), but I supposed
that AV vendors caught this.

Cheers,

Bojan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-Disclosure] FW: [Fwd: How one can become a terrorist?], Alan J. Wylie
Next by Date:  Re[2]: [Full-Disclosure] Automatically passing NTLM authentication credentials on Windows XP, Hidenobu Seki
Previous by Thread:  Re: FW: [Full-Disclosure] JPEG AV Detection, Gerry Eisenhaur
Next by Thread:  RE: FW: [Full-Disclosure] JPEG AV Detection, Aaron Horst
Indexes:  [Date] [Thread] [Top] [All Lists]