From andrey at hiddenbit.org Tue Mar 8 00:16:58 2005 From: andrey at hiddenbit.org (Andrey Bayora) Date: Thu Mar 24 03:45:41 2005 Subject: [Full-Disclosure] Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2 Message-ID: <1110241018.422ceefae59a3@www.hiddenbit.org> Hello Trog, See my inline comments... Quoting Trog : > On Fri, 2005-03-04 at 15:03 -0600, Andrey Bayora wrote: > > > The issue is: only 1 out of 23 tested antivirus software can detect > > malicious JPEG image (after 6 month from the public disclosure > date). > > Perhaps this fact should have rung some alarm bells in your mind. Yes, it did, and that's why I wrote about it - to inform you. > > > > > Here is the link to results, JPEG file and my paper (GCIH > practical) > > that describes how to create this one: > > http://www.hiddenbit.org/jpeg.htm > > I had a look at your supposed JPEG exploit file, bulzano2.jpg, > downloaded from the URL you supplied above, and read the 84 page PDF > you've generated to explain your processes. > > You appear to have made an error. May be, we are all human, but I didn't found any error until now. > > The segments of a JPEG file are chained together. In bulzano2.jpg, > the > chain goes as follows: > > Offset Marker Size Comment > -------------------------- > > 0x0000 FFDB Start of image marker you have typo here, it?s FFD8 > 0x0002 FFE0 0010 JFIF APP0 marker: next in chain = 0x0004 > +0x0010=0x0014 > 0x0014 FFED 191c APP marker: next in chain = 0x0016+0x191c=0x1932 > > According to your paper you've added your exploit at offset 0x0210, you are right (after FFD8 at 0x0214) > which is in the middle of the APP segment that ranges from 0x0018 to > 0x1932, here you missed something, the point of my first post (at October) was discovery that the JPEG images can be "embedded" one to another. Open your "clear" bulzano.jpg (if you have WindowsXP) and seek offset 0x0212!? You will find FFD8 ? that's Start of image marker! Somehow it's parsed and it's a valid marker or at least, the following markers are parsed (don't ask me why, I'm not the JPEG guru, but when I figured out - I posted about it). So, that's the story - "embedded" image that can have valid markers (and exploit) virtually at any location in the JPEG file. And finally, that's the challenge for the antivirus vendors ? to find (let's say 4 byte string) at ANY location in the JPEG file. > as such this is not a valid exploit. The data at 0x0210 may > look > like a segment marker, but isn't. > > Please explain if I have missed something. > > -trog > P.S. The bulzano2.jpg demo file (from the web site) has the valid exploit and will connect back to 127.0.0.1 at port 777. You can test it, if you run "nc.exe ?l ?p 777" in the test machine, where you run JPEG. Basically, this is not a virus or malicious code, it can't harm or compromise, but take a look how many antivirus vendors marked it as "backdoor"... :) Hope this will help. Regards, Andrey Bayora.