Pepper
Inactive
Bypass of Antivirus software with GDI+ bug exploit Mutations.
HiddenBit.org Security Advisory.
Date: October 14, 2004
Author: Andrey Bayora
BACKGROUND
While performing research paper for SANS GCIH practice I have found
this issue and it seems to me enough critical to warn readers
about this.
DESCRIPTION
Most Antivirus software can?t detect Mutations of GDI+ exploit.
ANALYSIS
1) Most Antivirus vendors issues virus definitions for known exploit
code [1] witch uses \xFF\xFE\x00\x01 string for buffer overflow.
From the Snort rule [2] you can learn that there are 7 more variants
to produce this buffer overflow in GDI+.
So, by changing \xFE to one of this - \xE1, \xE2, \xED and\or by
changing \x01 to \x00 this exploit will be UNDETECTED by many
antiviruses (list attached).
2) While original exploit code use buffer overflow string near the
BEGINNING of the image file (after \xFF\xE0 ,
\xFF\xEC and \xFF\xEE markers), I was able
to create image with buffer overflow string at the MIDDLE of the file.
3) By combining various strings from methods described under 1) and 2)
and by placing them in different locations in the image file I was
able to bypass various antivirus products.
FIX
1) Patch vulnerable systems.
2) If your antivirus didn?t detect these variants ? block JPEG (xFFD8).
DEMO
1) In the 1.jpg file the \xFE string was substituted to \xE1.
WARNING ! THIS IS COMPILED PROOF OF CONCEPT
FROM [1] THAT WILL CONNECT BACK TO
VULNERABLE MACHINE TO 127.0.0.1 AT
PORT 777 ( run: nc ?l ?p 777 ).
2) In the 2.jpg the buffer overflow string at offset x22F0 (string that
begins with \xFF\xED).
THIS IS JUST AN IMAGE WITH BUFFER OVERFLOW.
3) This is results from [3] :
For 1.jpg
Results of a file scan
This is the report of the scanning done over "1.jpg" (see Demo section)
file that VirusTotal processed on 10/13/2004 at 18:54:56.
Antivirus Version Update Result
BitDefender 7.0 10.12.2004 -
ClamWin devel-20040922 10.12.2004 -
eTrust-Iris 7.1.194.0 10.13.2004 -
F-Prot 3.15b 10.13.2004 -
Kaspersky 4.0.2.24 10.13.2004 -
McAfee 4398 10.13.2004 Exploit-MS04-028
NOD32v2 1.893 10.13.2004 -
Norman 5.70.10 10.12.2004 -
Panda 7.02.00 10.13.2004 -
Sybari 7.5.1314 10.13.2004 -
Symantec 8.0 10.12.2004 Backdoor.Roxe
TrendMicro 7.000 10.12.2004 Exploit-MS04-028
For 2.jpg
Results of a file scan
This is the report of the scanning done over "2.jpg" file that
VirusTotal processed on 10/13/2004 at 18:56:32.
Antivirus Version Update Result
BitDefender 7.0 10.12.2004 -
ClamWin devel-20040922 10.12.2004 -
eTrust-Iris 7.1.194.0 10.13.2004 -
F-Prot 3.15b 10.13.2004 -
Kaspersky 4.0.2.24 10.13.2004 -
McAfee 4398 10.13.2004 Exploit-MS04-028
NOD32v2 1.893 10.13.2004 -
Norman 5.70.10 10.12.2004 -
Panda 7.02.00 10.13.2004 -
Sybari 7.5.1314 10.13.2004 -
Symantec 8.0 10.12.2004 Bloodhound.Exploit.13
TrendMicro 7.000 10.12.2004 Exploit-MS04-028
Only ?The BIG 3? was able to detect those variants.
More complete research will be published in my SANS GCIH paper.
Reference :
[1] www.k-otik.com
[2] http://www.snort.org/snort-db/sid.html?sid=2705
[3] www.virustotal.com
**********************************************************
HiddenBit.org is non-profit Israel security research team.
--------------------------------------------------------------
Disclaimer
The information within this advisory may change without notice. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatever arising out or in connection with the use or spread of
this information. Any use of this information is at the user's own risk.
http://www.securityfocus.com/archive/1/378511
HiddenBit.org Security Advisory.
Date: October 14, 2004
Author: Andrey Bayora
BACKGROUND
While performing research paper for SANS GCIH practice I have found
this issue and it seems to me enough critical to warn readers
about this.
DESCRIPTION
Most Antivirus software can?t detect Mutations of GDI+ exploit.
ANALYSIS
1) Most Antivirus vendors issues virus definitions for known exploit
code [1] witch uses \xFF\xFE\x00\x01 string for buffer overflow.
From the Snort rule [2] you can learn that there are 7 more variants
to produce this buffer overflow in GDI+.
So, by changing \xFE to one of this - \xE1, \xE2, \xED and\or by
changing \x01 to \x00 this exploit will be UNDETECTED by many
antiviruses (list attached).
2) While original exploit code use buffer overflow string near the
BEGINNING of the image file (after \xFF\xE0 ,
\xFF\xEC and \xFF\xEE markers), I was able
to create image with buffer overflow string at the MIDDLE of the file.
3) By combining various strings from methods described under 1) and 2)
and by placing them in different locations in the image file I was
able to bypass various antivirus products.
FIX
1) Patch vulnerable systems.
2) If your antivirus didn?t detect these variants ? block JPEG (xFFD8).
DEMO
1) In the 1.jpg file the \xFE string was substituted to \xE1.
WARNING ! THIS IS COMPILED PROOF OF CONCEPT
FROM [1] THAT WILL CONNECT BACK TO
VULNERABLE MACHINE TO 127.0.0.1 AT
PORT 777 ( run: nc ?l ?p 777 ).
2) In the 2.jpg the buffer overflow string at offset x22F0 (string that
begins with \xFF\xED).
THIS IS JUST AN IMAGE WITH BUFFER OVERFLOW.
3) This is results from [3] :
For 1.jpg
Results of a file scan
This is the report of the scanning done over "1.jpg" (see Demo section)
file that VirusTotal processed on 10/13/2004 at 18:54:56.
Antivirus Version Update Result
BitDefender 7.0 10.12.2004 -
ClamWin devel-20040922 10.12.2004 -
eTrust-Iris 7.1.194.0 10.13.2004 -
F-Prot 3.15b 10.13.2004 -
Kaspersky 4.0.2.24 10.13.2004 -
McAfee 4398 10.13.2004 Exploit-MS04-028
NOD32v2 1.893 10.13.2004 -
Norman 5.70.10 10.12.2004 -
Panda 7.02.00 10.13.2004 -
Sybari 7.5.1314 10.13.2004 -
Symantec 8.0 10.12.2004 Backdoor.Roxe
TrendMicro 7.000 10.12.2004 Exploit-MS04-028
For 2.jpg
Results of a file scan
This is the report of the scanning done over "2.jpg" file that
VirusTotal processed on 10/13/2004 at 18:56:32.
Antivirus Version Update Result
BitDefender 7.0 10.12.2004 -
ClamWin devel-20040922 10.12.2004 -
eTrust-Iris 7.1.194.0 10.13.2004 -
F-Prot 3.15b 10.13.2004 -
Kaspersky 4.0.2.24 10.13.2004 -
McAfee 4398 10.13.2004 Exploit-MS04-028
NOD32v2 1.893 10.13.2004 -
Norman 5.70.10 10.12.2004 -
Panda 7.02.00 10.13.2004 -
Sybari 7.5.1314 10.13.2004 -
Symantec 8.0 10.12.2004 Bloodhound.Exploit.13
TrendMicro 7.000 10.12.2004 Exploit-MS04-028
Only ?The BIG 3? was able to detect those variants.
More complete research will be published in my SANS GCIH paper.
Reference :
[1] www.k-otik.com
[2] http://www.snort.org/snort-db/sid.html?sid=2705
[3] www.virustotal.com
**********************************************************
HiddenBit.org is non-profit Israel security research team.
--------------------------------------------------------------
Disclaimer
The information within this advisory may change without notice. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatever arising out or in connection with the use or spread of
this information. Any use of this information is at the user's own risk.
http://www.securityfocus.com/archive/1/378511
