Re: [Full-Disclosure] [ GLSA 200501-46 ] ClamAV: Multiple issues
Dack,
That depends on the payload. While browsers like Thunderbird, Mail.app
and Opera mail and Konquer will render RFC 2397 formatted images, only
Opera mail supports and executes RFC 2397 formatted application data.
IE does not support for RFC 2397, hense neither does Outlook.
Please be advised that this issue does not only affect AV systems, but
also IDS and IPS technologies. Since my original advisory Jan 10th,
(www.intrusense.com/av-bypass/image-bypass-advisory.txt), CheckPoint,
TippingPoint and ClamAV have added support to either detect malicious
RFC 2397 formatted content, or flat out block it. There's certainly
room for improvement, but it's a start.
Here is the response from Trend, dated Jan 24th, 2005:
Dear Darren,
Here is the Official Statement from our Scan Engine Team.
1. Explanation of the vulnerability
This vulnerability arise because our products (and this includes the
engine) does not support RFC 2397 (The "data" URL scheme). This RFC
permits the embedding of files (be it a JPEG, EXE, or other files) in
an HTML file. A file can be embedded in an HTML file by encoding it
using base64.
This was tested using a JPEG file and an EICAR file. The JPEG file is
detected as EXPL_MS04-028.A, but when embedded in an HTML, the JPEG
file is not detected. The embedded EICAR file is also not detected.
Link to the original FD post.
<http://lists.netsys.com/pipermail/full-disclosure/2005-January/
030724.html>
2. How it affects the Trend Products
Trend Micro Products cannot not detect images, or any malicious files,
encoded in base64 that are embedded in HTML files (in accordance with
RFC 2397).
3. How do we solve it.
- Ask users to apply the patch.
- We can create file-specific signatures for any threat that uses this
vulnerability
- Scan Engine update to support RFC 2397
4. Schedules of releases, milestones, etc
- File-specific detection is already available anytime but it is sample
dependent. We need to have a sample before we can create a solution.
- Scan Engine development to fix this will start very soon. We are
estimating around 4-6 weeks development. Ill get back to you on the
exact schedule.
Thank you,
Darren Bounds
Intrusense LLC.
http://www.intrusense.com
--
Intrusense - Securing Business As Usual
On Feb 1, 2005, at 5:41 PM, Dack wrote:
By sending a base64 encoded image file in a URL an attacker could
evade
virus scanning.
It's somewhat harsh to single out ClamAV for this issue. AFAICT, the
only two virus scanners that do currently protect against this are
What mail clients, if any, would execute a virus encoded in this
manner?
Is this a gaping hole in other mail anti-virus systems, or do most
clients just ignore this kind of data?