[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: RE: [Full-Disclosure] JPEG AV Detection
From: "Bojan Zdrnja" <Bojan.Zdrnja () LSS ! hr>
Date: 2004-09-29 7:45:30
Message-ID: 20040929074524.48EC734088 () smtpb ! itss ! auckland ! ac ! nz
[Download RAW message or body]
> -----Original Message-----
> From: full-disclosure-admin@lists.netsys.com
> [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of
> Todd Towles
> Sent: Wednesday, 29 September 2004 7:26 a.m.
> To: Mailing List - Full-Disclosure
> Subject: FW: [Full-Disclosure] JPEG AV Detection
>
> What exactly are the AV products detecting in the JPEG exploits? Barry
> and I was talking about how impressed we were that the AV companies
> jumped on this one and detection was pretty fast. But is the detection
> so generic that a variant will bypass? Is the detection based on a
> original exploit that could be modified in a way that makes it
> "undetectable" right now?
If they are any decent then they'll check for incorrect values in comment
size fields. It's very easy to detect it since value has to be 0 or 1 in
order to exploit the vulnerability.
A little problem is that comment size field can be in any section of the
JPEG, not just at the beginning (as in the original exploit), but I supposed
that AV vendors caught this.
Cheers,
Bojan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic