BugTraq
[ GLSA 200501-46 ] ClamAV: Multiple issues Jan 31 2005 07:41PM
Sune Kloppenborg Jeppesen (jaervosz gentoo org) (1 replies)
Re: [Full-Disclosure] [ GLSA 200501-46 ] ClamAV: Multiple issues Feb 01 2005 09:09AM
Trog (trog uncon org) (1 replies)
Re: [Full-Disclosure] [ GLSA 200501-46 ] ClamAV: Multiple issues Feb 01 2005 10:41PM
Dack (dackbug ereomega net) (2 replies)
Re: [Full-Disclosure] [ GLSA 200501-46 ] ClamAV: Multiple issues Feb 02 2005 01:33PM
Darren Bounds (lists intrusense com)
Dack,

That depends on the payload. While browsers like Thunderbird, Mail.app
and Opera mail and Konquer will render RFC 2397 formatted images, only
Opera mail supports and executes RFC 2397 formatted application data.
IE does not support for RFC 2397, hense neither does Outlook.

Please be advised that this issue does not only affect AV systems, but
also IDS and IPS technologies. Since my original advisory Jan 10th,
(www.intrusense.com/av-bypass/image-bypass-advisory.txt), CheckPoint,
TippingPoint and ClamAV have added support to either detect malicious
RFC 2397 formatted content, or flat out block it. There's certainly
room for improvement, but it's a start.

Here is the response from Trend, dated Jan 24th, 2005:

Dear Darren,

Here is the Official Statement from our Scan Engine Team.
1. Explanation of the vulnerability

This vulnerability arise because our products (and this includes the
engine) does not support RFC 2397 (The "data" URL scheme). This RFC
permits the embedding of files (be it a JPEG, EXE, or other files) in
an HTML file. A file can be embedded in an HTML file by encoding it
using base64.

This was tested using a JPEG file and an EICAR file. The JPEG file is
detected as EXPL_MS04-028.A, but when embedded in an HTML, the JPEG
file is not detected. The embedded EICAR file is also not detected.

Link to the original FD post.
<http://lists.netsys.com/pipermail/full-disclosure/2005-January/
030724.html>

2. How it affects the Trend Products

Trend Micro Products cannot not detect images, or any malicious files,
encoded in base64 that are embedded in HTML files (in accordance with
RFC 2397).

3. How do we solve it.

- Ask users to apply the patch.
- We can create file-specific signatures for any threat that uses this
vulnerability
- Scan Engine update to support RFC 2397

4. Schedules of releases, milestones, etc

- File-specific detection is already available anytime but it is sample
dependent. We need to have a sample before we can create a solution.
- Scan Engine development to fix this will start very soon. We are
estimating around 4-6 weeks development. Ill get back to you on the
exact schedule.

Thank you,

Darren Bounds
Intrusense LLC.
http://www.intrusense.com

--
Intrusense - Securing Business As Usual

On Feb 1, 2005, at 5:41 PM, Dack wrote:

>>> By sending a base64 encoded image file in a URL an attacker could
>>> evade
>>> virus scanning.
>> It's somewhat harsh to single out ClamAV for this issue. AFAICT, the
>> only two virus scanners that do currently protect against this are
>
> What mail clients, if any, would execute a virus encoded in this
> manner?
> Is this a gaping hole in other mail anti-virus systems, or do most
> clients just ignore this kind of data?

[ reply ]
Re: [Full-Disclosure] [ GLSA 200501-46 ] ClamAV: Multiple issues Feb 01 2005 11:16PM
Trog (trog uncon org) (1 replies)


 

Privacy Statement
Copyright 2010, SecurityFocus