HiddenBit.org Security Advisory.
Date: October 14, 2004
Author: Andrey Bayora
BACKGROUND
While performing research paper for SANS GCIH practice I have found
this issue and it seems to me enough critical to warn readers
about this.
DESCRIPTION
Most Antivirus software can’t detect Mutations of GDI+ exploit.
ANALYSIS
1) Most Antivirus vendors issues virus definitions for known exploit
code [1] witch uses \xFF\xFE\x00\x01 string for buffer overflow.
From the Snort rule [2] you can learn that there are 7 more variants
to produce this buffer overflow in GDI+.
So, by changing \xFE to one of this - \xE1, \xE2, \xED and\or by
changing \x01 to \x00 this exploit will be UNDETECTED by many
antiviruses (list attached).
2) While original exploit code use buffer overflow string near the
BEGINNING of the image file (after \xFF\xE0 ,
\xFF\xEC and \xFF\xEE markers), I was able
to create image with buffer overflow string at the MIDDLE of the file.
3) By combining various strings from methods described under 1) and 2)
and by placing them in different locations in the image file I was
able to bypass various antivirus products.
FIX
1) Patch vulnerable systems.
2) If your antivirus didn’t detect these variants – block JPEG (xFFD8).
DEMO
Demo file is here (password to open is "jpeg").
1) In the 1.jpg file the \xFE string was substituted to \xE1.
WARNING ! THIS IS COMPILED PROOF OF CONCEPT
FROM [1] THAT WILL CONNECT BACK TO
VULNERABLE MACHINE TO 127.0.0.1 AT
PORT 777 ( run: nc –l –p 777 ).
2) In the 2.jpg the buffer overflow string at offset x22F0 (string that
begins with \xFF\xED).
THIS IS JUST AN IMAGE WITH BUFFER OVERFLOW.
3) This is results from [3] :
For 1.jpg
Results of a file scan
This is the report of the scanning done over "1.jpg" (see Demo section)
file that VirusTotal processed on 10/13/2004 at 18:54:56.
Antivirus Version Update Result
BitDefender 7.0 10.12.2004 -
ClamWin devel-20040922 10.12.2004 -
eTrust-Iris 7.1.194.0 10.13.2004 -
F-Prot 3.15b 10.13.2004 -
Kaspersky 4.0.2.24 10.13.2004 -
McAfee 4398 10.13.2004 Exploit-MS04-028
NOD32v2 1.893 10.13.2004 -
Norman 5.70.10 10.12.2004 -
Panda 7.02.00 10.13.2004 -
Sybari 7.5.1314 10.13.2004 -
Symantec 8.0 10.12.2004 Backdoor.Roxe
TrendMicro 7.000 10.12.2004 Exploit-MS04-028
For 2.jpg
Results of a file scan
This is the report of the scanning done over "2.jpg" file that
VirusTotal processed on 10/13/2004 at 18:56:32.
Antivirus Version Update Result
BitDefender 7.0 10.12.2004 -
ClamWin devel-20040922 10.12.2004 -
eTrust-Iris 7.1.194.0 10.13.2004 -
F-Prot 3.15b 10.13.2004 -
Kaspersky 4.0.2.24 10.13.2004 -
McAfee 4398 10.13.2004 Exploit-MS04-028
NOD32v2 1.893 10.13.2004 -
Norman 5.70.10 10.12.2004 -
Panda 7.02.00 10.13.2004 -
Sybari 7.5.1314 10.13.2004 -
Symantec 8.0 10.12.2004 Bloodhound.Exploit.13
TrendMicro 7.000 10.12.2004 Exploit-MS04-028
Only “The BIG 3” was able to detect those variants.
More complete research will be published in my SANS GCIH paper.
Reference :
[1] www.k-otik.com
[2] http://www.snort.org/snort-db/sid.html?sid=2705
[3] www.virustotal.com
**********************************************************
HiddenBit.org is non-profit Israel security research team.
--------------------------------------------------------------
Disclaimer
The information within this advisory may change without notice. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatever arising out or in connection with the use or spread of
this information. Any use of this information is at the user's own risk.
First, this post isn’t about “how dangerous GDI+ bug or malicious JPEG image”, but “how good” is your antivirus software.
The issue is: only 1 out of 23 tested antivirus software can detect malicious JPEG image (after 6 month from the public disclosure date).
Results and screenshots are below.
This one vendor (Symantec) that can detect it, obviously do it with the “heuristic” detection (I don’t work for them and didn’t send them any file, moreover I know cases when Symantec didn’t detect a virus that “other” vendors do).
ClamAV antivirus detected this JPEG file 4 month ago, but strangely can’t detect it now.
What happened?
What about 22 antivirus software vendors that miss this malicious JPEG?
The pattern or problem in these JPEG files is known and still many antivirus software vendors miss it, did it can represent the quality of heuristic engines?
OK, we know that any antivirus software can provide 100% protection…
P.S. After my first post (in November) about this problem – all antivirus software vendors added detection to the demo file provided by me in couple of hours. Sadly for me, but it seems that they prefer “playing cat and mouse” and not improve heuristic engines…
Results from http://www.virustotal.com :
Results from http://virusscan.jotti.org :
Plus, the following antivirus programs did not found virus (with the latest engine and definitions at March 4, 2005):
McAfee Corporate 8.0i
Pc-Cillin 2005 (TrendMicro)
F-Secure 5.5
Sophos 3.91
JPEGScan from http://www.diamondcs.com.au/jpegscan/
The test file is here (password to open is "jpeg") .When run on vulnerable system, this file will connect to 127.0.0.1 at port 777, to test - first, run in a test system "nc -l -p 777" and then browse to JPEG file location.
You can read my paper with explanations how to create this JPEG image.