[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] JPEG AV Detection

To: "'Mailing List - Full-Disclosure'" <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: RE: [Full-Disclosure] JPEG AV Detection
From: "Bojan Zdrnja" <Bojan.Zdrnja@xxxxxx>
Date: Wed, 29 Sep 2004 19:45:30 +1200

 

> -----Original Message-----
> From: full-disclosure-admin@xxxxxxxxxxxxxxxx 
> [mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx] On Behalf Of 
> Todd Towles
> Sent: Wednesday, 29 September 2004 7:26 a.m.
> To: Mailing List - Full-Disclosure
> Subject: FW: [Full-Disclosure] JPEG AV Detection
> 
>  What exactly are the AV products detecting in the JPEG exploits? Barry
> and I was talking about how impressed we were that the AV companies
> jumped on this one and detection was pretty fast. But is the detection
> so generic that a variant will bypass? Is the detection based on a
> original exploit that could be modified in a way that makes it
> "undetectable" right now?

If they are any decent then they'll check for incorrect values in comment
size fields. It's very easy to detect it since value has to be 0 or 1 in
order to exploit the vulnerability.
A little problem is that comment size field can be in any section of the
JPEG, not just at the beginning (as in the original exploit), but I supposed
that AV vendors caught this.

Cheers,

Bojan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- FW: [Full-Disclosure] JPEG AV Detection
  - From: Todd Towles

Prev by Date: Re[2]: [Full-Disclosure] Automatically passing NTLM authentication credentials on Windows XP
Next by Date: Re[2]: [Full-Disclosure] Automatically passing NTLM authentication credentials on Windows XP
Previous by thread: Re: FW: [Full-Disclosure] JPEG AV Detection
Next by thread: RE: FW: [Full-Disclosure] JPEG AV Detection
Index(es):
- Date
- Thread