[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    RE: [Full-Disclosure] JPEG AV Detection
From:       "Bojan Zdrnja" <Bojan.Zdrnja () LSS ! hr>
Date:       2004-09-29 7:45:30
Message-ID: 20040929074524.48EC734088 () smtpb ! itss ! auckland ! ac ! nz
[Download RAW message or body]

 

> -----Original Message-----
> From: full-disclosure-admin@lists.netsys.com 
> [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of 
> Todd Towles
> Sent: Wednesday, 29 September 2004 7:26 a.m.
> To: Mailing List - Full-Disclosure
> Subject: FW: [Full-Disclosure] JPEG AV Detection
> 
>  What exactly are the AV products detecting in the JPEG exploits? Barry
> and I was talking about how impressed we were that the AV companies
> jumped on this one and detection was pretty fast. But is the detection
> so generic that a variant will bypass? Is the detection based on a
> original exploit that could be modified in a way that makes it
> "undetectable" right now?

If they are any decent then they'll check for incorrect values in comment
size fields. It's very easy to detect it since value has to be 0 or 1 in
order to exploit the vulnerability.
A little problem is that comment size field can be in any section of the
JPEG, not just at the beginning (as in the original exploit), but I supposed
that AV vendors caught this.

Cheers,

Bojan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]