Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2

Discussion in 'NOD32 version 2 Forum' started by Daniel_SE, Mar 7, 2005.

Thread Status:
Not open for further replies.
  1. Daniel_SE

    Daniel_SE Guest

    <Quote>

    To: BugTraq
    Subject: Bypass of 22 Antivirus software with GDI+ bug exploit Mutations -
    part 2
    Date: Mar 4 2005 9:03PM
    Author: Andrey Bayora <andrey hiddenbit org>
    Message-ID: <1109970190.4228cd0e27138@www.hiddenbit.org>

    The first part is here:
    http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0475.html

    First, this post isn't about how dangerous GDI+ bug or malicious JPEG
    image, but how good is your antivirus software.

    The issue is: only 1 out of 23 tested antivirus software can detect
    malicious JPEG image (after 6 month from the public disclosure date).

    Here is the link to results, JPEG file and my paper (GCIH practical)
    that describes how to create this one:
    http://www.hiddenbit.org/jpeg.htm

    This one vendor (Symantec) that can detect it, obviously do it with the
    heuristic detection (I don't work for them and didn't send them any
    file, moreover I know cases when Symantec didn't detect a virus that
    other vendors do).

    ClamAV antivirus detected this JPEG file 4 month ago, but strangely
    can't detect it now.

    What happened?

    What about 22 antivirus software vendors that miss this malicious JPEG?
    The pattern or problem in these JPEG files is known and still many
    antivirus software vendors miss it, did it can represent the quality of
    heuristic engines?

    OK, we know that any antivirus software can provide 100% protection?

    P.S. After my first post (October 14,2004) about this problem - all
    antivirus software vendors added detection to the demo file provided by
    me in couple of hours. Sadly for me, but it seems that they prefer
    playing cat and mouse and not improve heuristic engines?

    Regards,
    Andrey Bayora.
    CISSP, GCIH

    </Unquote>

    Tried it for myself with latest definitions and all bells and whistles set on high/deep/advanced etc. with NOD32 and like the post states, no evidence of anything out of the ordinary found.
     
  2. Daniel_SE

    Daniel_SE Guest

    Sorry for posting again, found this in reply to the quoted text:

    <Quote>

    Bugtraq: Re: [Full-Disclosure] Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2

    From: Trog (trog_at_uncon.org)
    Date: Mar 07 2005

    * Next message: Martin Pitt: "[USN-91-1] EXIF library vulnerability"
    * Previous message: CIRT Advisory: "CIRT.DK Advisory - SafeNet Inc Sentinel License Manager 7.2.0.2 Buffer Overflow"
    * In reply to: Andrey Bayora: "Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2"
    * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

    On Fri, 2005-03-04 at 15:03 -0600, Andrey Bayora wrote:

    > The issue is: only 1 out of 23 tested antivirus software can detect
    > malicious JPEG image (after 6 month from the public disclosure date).

    Perhaps this fact should have rung some alarm bells in your mind.

    >
    > Here is the link to results, JPEG file and my paper (GCIH practical)
    > that describes how to create this one:
    > http://www.hiddenbit.org/jpeg.htm

    I had a look at your supposed JPEG exploit file, bulzano2.jpg,
    downloaded from the URL you supplied above, and read the 84 page PDF
    you've generated to explain your processes.

    You appear to have made an error.

    The segments of a JPEG file are chained together. In bulzano2.jpg, the
    chain goes as follows:

    Offset Marker Size Comment
    --------------------------

    0x0000 FFDB Start of image marker
    0x0002 FFE0 0010 JFIF APP0 marker: next in chain = 0x0004
    +0x0010=0x0014
    0x0014 FFED 191c APP marker: next in chain = 0x0016+0x191c=0x1932

    According to your paper you've added your exploit at offset 0x0210,
    which is in the middle of the APP segment that ranges from 0x0018 to
    0x1932, as such this is not a valid exploit. The data at 0x0210 may look
    like a segment marker, but isn't.

    Please explain if I have missed something.

    -trog

    </Unquote>
     
Thread Status:
Not open for further replies.