Re: [Full-Disclosure] Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2

[Andrey Bayora <andrey () hiddenbit org>]

Hello Trog,
See my inline comments...

Quoting Trog <trog () uncon org>:

> On Fri, 2005-03-04 at 15:03 -0600, Andrey Bayora wrote:
>
> > The issue is: only 1 out of 23 tested antivirus software can detect
> > malicious JPEG image (after 6 month from the public disclosure
> date).
>
> Perhaps this fact should have rung some alarm bells in your mind.
Yes, it did, and that's why I wrote about it - to inform you.
> > Here is the link to results, JPEG file and my paper (GCIH
> practical)
> > that describes how to create this one:
> > http://www.hiddenbit.org/jpeg.htm
>
> I had a look at your supposed JPEG exploit file, bulzano2.jpg,
> downloaded from the URL you supplied above, and read the 84 page PDF
> you've generated to explain your processes.
>
> You appear to have made an error.
May be, we are all human, but I didn't found any error until now.
> The segments of a JPEG file are chained together. In bulzano2.jpg,
> the
> chain goes as follows:
>
> Offset Marker Size Comment
> --------------------------
>
> 0x0000 FFDB        Start of image marker
you have typo here, it’s FFD8
> 0x0002 FFE0   0010 JFIF APP0 marker: next in chain = 0x0004
> +0x0010=0x0014
> 0x0014 FFED   191c APP marker: next in chain = 0x0016+0x191c=0x1932
>
> According to your paper you've added your exploit at offset 0x0210,
you are right (after FFD8 at 0x0214)
> which is in the middle of the APP segment that ranges from 0x0018 to
> 0x1932,
here you missed something, the point of my first post (at October) was
discovery that the JPEG images can be "embedded" one to another. Open
your "clear" bulzano.jpg (if you have WindowsXP) and seek offset
0x0212!? You will find FFD8 – that's Start of image marker! Somehow
it's parsed and it's a valid marker or at least, the following markers
are parsed (don't ask me why, I'm not the JPEG guru, but when I figured
out  - I posted about it). So, that's the story - "embedded" image that
can have valid markers (and exploit) virtually at any location in the
JPEG file. And finally, that's the challenge for the antivirus vendors
– to find (let's say 4 byte string) at ANY location in the JPEG file.
> as such this is not a valid exploit. The data at 0x0210 may
> look
> like a segment marker, but isn't.
>
> Please explain if I have missed something.
>
> -trog
P.S. The bulzano2.jpg demo file (from the web site) has the valid
exploit and will connect back to 127.0.0.1 at port 777. You can test
it, if you run "nc.exe –l –p 777" in the test machine, where you run
JPEG. Basically, this is not a virus or malicious code, it can't harm
or compromise, but take a look how many antivirus vendors marked it as
"backdoor"... :)
Hope this will help.

Regards,
Andrey Bayora.