Symantec Enterprise 8.1: Your attachment "JPEG.zip" contained viruses: "Backdoor.Roxe" at location "1.jpg", and "Bloodhound.Exploit.13" at location "2.jpg".
-----Original Message----- From: Todd Towles [mailto:[EMAIL PROTECTED] Sent: 14 October 2004 14:10 To: Andrey Bayora; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Bypass of Antivirus software with GDI+ bug exploit Mutations TrendMicro sees it as a MS04-028 exploit > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Andrey Bayora > Sent: Thursday, October 14, 2004 2:46 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: [Full-Disclosure] Bypass of Antivirus software with > GDI+ bug exploit Mutations > > Bypass of Antivirus software with GDI+ bug exploit Mutations. > > HiddenBit.org Security Advisory. > > Date: October 14, 2004 > > Author: Andrey Bayora > > > BACKGROUND > > While performing research paper for SANS GCIH practice I have > found this issue and it seems to me enough critical to warn > readers about this. > > DESCRIPTION > > Most Antivirus software can't detect Mutations of GDI+ exploit. > > ANALYSIS > > 1) Most Antivirus vendors issues virus definitions for known > exploit code [1] witch uses \xFF\xFE\x00\x01 string for > buffer overflow. > >From the Snort rule [2] you can learn that there are 7 more variants > to produce this buffer overflow in GDI+. > > So, by changing \xFE to one of this - \xE1, \xE2, \xED > and\or by changing \x01 to \x00 this exploit will be > UNDETECTED by many antiviruses (list attached). > > 2) While original exploit code use buffer overflow string > near the BEGINNING of the image file (after \xFF\xE0 , > \xFF\xEC and \xFF\xEE markers), I was able to create image > with buffer overflow string at the MIDDLE of the file. > > 3) By combining various strings from methods described under > 1) and 2) and by placing them in different locations in the > image file I was able to bypass various antivirus products. > > > FIX > > 1) Patch vulnerable systems. > 2) If your antivirus didn't detect these variants - block > JPEG (xFFD8). > > > DEMO > > http://www.hiddenbit.org/demo_files/jpeg.zip > > 1) In the 1.jpg file the \xFE string was substituted to \xE1. > WARNING ! THIS IS COMPILED PROOF OF CONCEPT > FROM [1] THAT WILL CONNECT BACK TO > VULNERABLE MACHINE TO 127.0.0.1 AT > PORT 777 ( run: nc -l -p 777 ). > 2) In the 2.jpg the buffer overflow string at offset x22F0 > (string that begins with \xFF\xED). > THIS IS JUST AN IMAGE WITH BUFFER OVERFLOW. > 3) This is results from [3] : > For 1.jpg > > Results of a file scan > This is the report of the scanning done over "1.jpg" (see > Demo section) file that VirusTotal processed on 10/13/2004 at > 18:54:56. > Antivirus Version Update Result > BitDefender 7.0 10.12.2004 - > ClamWin devel-20040922 10.12.2004 - > eTrust-Iris 7.1.194.0 10.13.2004 - > F-Prot 3.15b 10.13.2004 - > Kaspersky 4.0.2.24 10.13.2004 - > McAfee 4398 10.13.2004 Exploit-MS04-028 > NOD32v2 1.893 10.13.2004 - > Norman 5.70.10 10.12.2004 - > Panda 7.02.00 10.13.2004 - > Sybari 7.5.1314 10.13.2004 - > Symantec 8.0 10.12.2004 Backdoor.Roxe > TrendMicro 7.000 10.12.2004 Exploit-MS04-028 > > For 2.jpg > > Results of a file scan > This is the report of the scanning done over "2.jpg" file > that VirusTotal processed on 10/13/2004 at 18:56:32. > Antivirus Version Update Result > BitDefender 7.0 10.12.2004 - > ClamWin devel-20040922 10.12.2004 - > eTrust-Iris 7.1.194.0 10.13.2004 - > F-Prot 3.15b 10.13.2004 - > Kaspersky 4.0.2.24 10.13.2004 - > McAfee 4398 10.13.2004 Exploit-MS04-028 > NOD32v2 1.893 10.13.2004 - > Norman 5.70.10 10.12.2004 - > Panda 7.02.00 10.13.2004 - > Sybari 7.5.1314 10.13.2004 - > Symantec 8.0 10.12.2004 Bloodhound.Exploit.13 > TrendMicro 7.000 10.12.2004 Exploit-MS04-028 > > > Only "The BIG 3" was able to detect those variants. > > More complete research will be published in my SANS GCIH paper. > > > Reference : > > [1] www.k-otik.com > [2] http://www.snort.org/snort-db/sid.html?sid=2705 > [3] www.virustotal.com > > > > ********************************************************** > HiddenBit.org is non-profit Israel security research team. > > > > -------------------------------------------------------------- > Disclaimer > > The information within this advisory may change without > notice. There are no warranties, implied or express, with > regard to this information. > In no event shall the author be liable for any direct or > indirect damages whatever arising out or in connection with > the use or spread of this information. Any use of this > information is at the user's own risk. > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html