Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] Bypass of 22 Antivirus software with GDI+ bug expl

from [Andrey Bayora] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2
Date: Mon, 7 Mar 2005 18:13:40 -0600 
Hello Trog,
See my inline comments...

Quoting Trog <trog@uncon.org>:


On Fri, 2005-03-04 at 15:03 -0600, Andrey Bayora wrote:


The issue is: only 1 out of 23 tested antivirus software can detect
malicious JPEG image (after 6 month from the public disclosure

date).

Perhaps this fact should have rung some alarm bells in your mind.

Yes, it did, and that's why I wrote about it - to inform you.




Here is the link to results, JPEG file and my paper (GCIH

practical)

that describes how to create this one:
http://www.hiddenbit.org/jpeg.htm


I had a look at your supposed JPEG exploit file, bulzano2.jpg,
downloaded from the URL you supplied above, and read the 84 page PDF
you've generated to explain your processes.

You appear to have made an error.

May be, we are all human, but I didn't found any error until now.


The segments of a JPEG file are chained together. In bulzano2.jpg,
the
chain goes as follows:

Offset Marker Size Comment
--------------------------

0x0000 FFDB        Start of image marker

you have typo here, it?s FFD8

0x0002 FFE0   0010 JFIF APP0 marker: next in chain = 0x0004
+0x0010=0x0014
0x0014 FFED   191c APP marker: next in chain = 0x0016+0x191c=0x1932

According to your paper you've added your exploit at offset 0x0210,

you are right (after FFD8 at 0x0214)

which is in the middle of the APP segment that ranges from 0x0018 to
0x1932,

here you missed something, the point of my first post (at October) was
discovery that the JPEG images can be "embedded" one to another. Open
your "clear" bulzano.jpg (if you have WindowsXP) and seek offset
0x0212!? You will find FFD8 ? that's Start of image marker! Somehow
it's parsed and it's a valid marker or at least, the following markers
are parsed (don't ask me why, I'm not the JPEG guru, but when I figured
out  - I posted about it). So, that's the story - "embedded" image that
can have valid markers (and exploit) virtually at any location in the
JPEG file. And finally, that's the challenge for the antivirus vendors
? to find (let's say 4 byte string) at ANY location in the JPEG file.

as such this is not a valid exploit. The data at 0x0210 may
look
like a segment marker, but isn't.

Please explain if I have missed something.

-trog


P.S. The bulzano2.jpg demo file (from the web site) has the valid
exploit and will connect back to 127.0.0.1 at port 777. You can test
it, if you run "nc.exe ?l ?p 777" in the test machine, where you run
JPEG. Basically, this is not a virus or malicious code, it can't harm
or compromise, but take a look how many antivirus vendors marked it as
"backdoor"... :)
Hope this will help.

Regards,
Andrey Bayora.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  iDEFENSE Labs Releases IDA RPC Enumerator, iDEFENSE Labs
Next by Date:  [SCAN Associates Security Advisory] xoops 2.0.9.2 and below weak file extension validation, pokley
Previous by Thread:  Re: [Full-Disclosure] Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2, Trog
Next by Thread:  [Full-Disclosure] MDKSA-2005:049 - Updated gaim packages fix multiple vulnerabilities, Mandrakelinux Security Team
Indexes:  [Date] [Thread] [Top] [All Lists]