Re: [Full-Disclosure] [ GLSA 200501-46 ] ClamAV: Multiple issues

[Darren Bounds <lists@xxxxxxxxxxxxxx>]

Dack,

That depends on the payload.  While browsers like Thunderbird, Mail.app  
and Opera mail and Konquer will render RFC 2397 formatted images, only  
Opera mail supports and executes  RFC 2397 formatted application data.  
IE does not support for RFC 2397, hense neither does Outlook.

Please be advised that this issue does not only affect AV systems, but  
also IDS and IPS technologies. Since my original advisory Jan 10th,  
(www.intrusense.com/av-bypass/image-bypass-advisory.txt), CheckPoint,  
TippingPoint and ClamAV have added support to either detect malicious  
RFC 2397 formatted content, or flat out block it.  There's certainly  
room for improvement, but it's a start.

Here is the response from Trend, dated Jan 24th, 2005:

Dear Darren,

Here is the Official Statement from our Scan Engine Team.
1. Explanation of the vulnerability

This vulnerability arise because our products (and this includes the  
engine) does not support RFC 2397 (The "data" URL scheme). This RFC  
permits the embedding of files (be it a JPEG, EXE, or other files) in  
an HTML file. A file can be embedded in an HTML file by encoding it  
using base64.

This was tested using a JPEG file and an EICAR file. The JPEG file is  
detected as EXPL_MS04-028.A, but when embedded in an HTML, the JPEG  
file is not detected. The embedded EICAR file is also not detected.

Link to the original FD post.  
<http://lists.netsys.com/pipermail/full-disclosure/2005-January/ 
030724.html>


2. How it affects the Trend Products

Trend Micro Products cannot not detect images, or any malicious files,  
encoded in base64 that are embedded in HTML files (in accordance with  
RFC 2397).

3. How do we solve it.

- Ask users to apply the patch.
- We can create file-specific signatures for any threat that uses this  
vulnerability
- Scan Engine update to support RFC 2397

4. Schedules of releases, milestones, etc

- File-specific detection is already available anytime but it is sample  
dependent. We need to have a sample before we can create a solution.
- Scan Engine development to fix this will start very soon. We are  
estimating around 4-6 weeks development. Ill get back to you on the  
exact schedule.



Thank you,

Darren Bounds
Intrusense LLC.
http://www.intrusense.com

--
Intrusense - Securing Business As Usual




On Feb 1, 2005, at 5:41 PM, Dack wrote:

> > > By sending a base64 encoded image file in a URL an attacker could  
> > > evade
> > > virus scanning.
> > It's somewhat harsh to single out ClamAV for this issue. AFAICT, the
> > only two virus scanners that do currently protect against this are
>
> What mail clients, if any, would execute a virus encoded in this  
> manner?
> Is this a gaping hole in other mail anti-virus systems, or do most
> clients just ignore this kind of data?