<<< Date Index >>>     <<< Thread Index >>>

Bypass of Antivirus software with GDI+ bug exploit Mutations



Bypass of Antivirus software with GDI+ bug exploit Mutations.

HiddenBit.org Security Advisory.

Date: October 14, 2004

Author: Andrey Bayora


BACKGROUND

While performing research paper for SANS GCIH practice I have found
this issue and it seems to me enough critical to warn readers
about this.

DESCRIPTION

Most Antivirus software can?t detect Mutations of GDI+ exploit.

ANALYSIS

1) Most Antivirus vendors issues virus definitions for known exploit
code [1] witch uses \xFF\xFE\x00\x01 string for buffer overflow.
>From the Snort rule [2] you can learn that there are 7 more variants
to produce this buffer overflow in GDI+.

So, by changing \xFE to one of this - \xE1, \xE2, \xED  and\or by
changing \x01 to \x00 this exploit will be UNDETECTED by many
antiviruses (list attached).

2) While original exploit code use buffer overflow string near the
BEGINNING of the image file (after \xFF\xE0 ,
\xFF\xEC and \xFF\xEE markers), I was able
to create image with buffer overflow string at the MIDDLE of the file.

3) By combining various strings from methods described under 1) and 2)
and by placing them in different locations in the image file I was
able to bypass various antivirus products.


FIX

1) Patch vulnerable systems.
2) If your antivirus didn?t detect these variants ? block JPEG (xFFD8).


DEMO

1) In the 1.jpg file the \xFE string was substituted to \xE1.
                  WARNING ! THIS IS COMPILED PROOF OF CONCEPT
                           FROM [1] THAT WILL CONNECT BACK TO
                           VULNERABLE MACHINE TO 127.0.0.1 AT
                           PORT 777 ( run: nc ?l ?p 777 ).
2) In the 2.jpg the buffer overflow string at offset x22F0 (string that
begins with \xFF\xED).
                  THIS IS JUST AN IMAGE WITH BUFFER OVERFLOW.
3) This is results from [3] :
For 1.jpg

Results of a file scan
This is the report of the scanning done over "1.jpg" (see Demo section)
file that VirusTotal processed on 10/13/2004 at 18:54:56.
Antivirus Version Update Result
BitDefender 7.0                10.12.2004 -
ClamWin devel-20040922         10.12.2004 -
eTrust-Iris 7.1.194.0          10.13.2004 -
F-Prot 3.15b                   10.13.2004 -
Kaspersky 4.0.2.24             10.13.2004 -
McAfee 4398                    10.13.2004 Exploit-MS04-028
NOD32v2 1.893                  10.13.2004 -
Norman 5.70.10                 10.12.2004 -
Panda 7.02.00                  10.13.2004 -
Sybari 7.5.1314                10.13.2004 -
Symantec 8.0                   10.12.2004 Backdoor.Roxe
TrendMicro 7.000               10.12.2004 Exploit-MS04-028

For 2.jpg

Results of a file scan
This is the report of the scanning done over "2.jpg" file that
VirusTotal processed on 10/13/2004 at 18:56:32.
Antivirus Version Update Result
BitDefender 7.0            10.12.2004 -
ClamWin devel-20040922     10.12.2004 -
eTrust-Iris 7.1.194.0      10.13.2004 -
F-Prot 3.15b               10.13.2004 -
Kaspersky 4.0.2.24         10.13.2004 -
McAfee 4398                10.13.2004 Exploit-MS04-028
NOD32v2 1.893              10.13.2004 -
Norman 5.70.10             10.12.2004 -
Panda 7.02.00              10.13.2004 -
Sybari 7.5.1314            10.13.2004 -
Symantec 8.0               10.12.2004 Bloodhound.Exploit.13
TrendMicro 7.000           10.12.2004 Exploit-MS04-028


Only ?The BIG 3? was able to detect those variants.

More complete research will be published in my SANS GCIH paper.


Reference :

[1] www.k-otik.com
[2] http://www.snort.org/snort-db/sid.html?sid=2705
[3] www.virustotal.com



**********************************************************
HiddenBit.org is non-profit Israel security research team.



--------------------------------------------------------------
Disclaimer

The information within this advisory may change without notice. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatever arising out or in connection with the use or spread of
this information. Any use of this information is at the user's own risk.



Attachment: JPEG.zip
Description: Zip archive