<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-Disclosure] [ GLSA 200501-46 ] ClamAV: Multiple issues



Dack,

That depends on the payload. While browsers like Thunderbird, Mail.app and Opera mail and Konquer will render RFC 2397 formatted images, only Opera mail supports and executes RFC 2397 formatted application data. IE does not support for RFC 2397, hense neither does Outlook.

Please be advised that this issue does not only affect AV systems, but also IDS and IPS technologies. Since my original advisory Jan 10th, (www.intrusense.com/av-bypass/image-bypass-advisory.txt), CheckPoint, TippingPoint and ClamAV have added support to either detect malicious RFC 2397 formatted content, or flat out block it. There's certainly room for improvement, but it's a start.

Here is the response from Trend, dated Jan 24th, 2005:

Dear Darren,

Here is the Official Statement from our Scan Engine Team.
1. Explanation of the vulnerability

This vulnerability arise because our products (and this includes the engine) does not support RFC 2397 (The "data" URL scheme). This RFC permits the embedding of files (be it a JPEG, EXE, or other files) in an HTML file. A file can be embedded in an HTML file by encoding it using base64.

This was tested using a JPEG file and an EICAR file. The JPEG file is detected as EXPL_MS04-028.A, but when embedded in an HTML, the JPEG file is not detected. The embedded EICAR file is also not detected.

Link to the original FD post. <http://lists.netsys.com/pipermail/full-disclosure/2005-January/ 030724.html>


2. How it affects the Trend Products

Trend Micro Products cannot not detect images, or any malicious files, encoded in base64 that are embedded in HTML files (in accordance with RFC 2397).

3. How do we solve it.

- Ask users to apply the patch.
- We can create file-specific signatures for any threat that uses this vulnerability
- Scan Engine update to support RFC 2397

4. Schedules of releases, milestones, etc

- File-specific detection is already available anytime but it is sample dependent. We need to have a sample before we can create a solution. - Scan Engine development to fix this will start very soon. We are estimating around 4-6 weeks development. Ill get back to you on the exact schedule.



Thank you,

Darren Bounds
Intrusense LLC.
http://www.intrusense.com

--
Intrusense - Securing Business As Usual




On Feb 1, 2005, at 5:41 PM, Dack wrote:

By sending a base64 encoded image file in a URL an attacker could evade
virus scanning.
It's somewhat harsh to single out ClamAV for this issue. AFAICT, the
only two virus scanners that do currently protect against this are

What mail clients, if any, would execute a virus encoded in this manner?
Is this a gaping hole in other mail anti-virus systems, or do most
clients just ignore this kind of data?