[Full-Disclosure] JPEG AV Detection
Bojan.Zdrnja at LSS.hr
Wed Sep 29 08:45:30 BST 2004
> -----Original Message-----
> From: full-disclosure-admin at lists.netsys.com
> [mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of
> Todd Towles
> Sent: Wednesday, 29 September 2004 7:26 a.m.
> To: Mailing List - Full-Disclosure
> Subject: FW: [Full-Disclosure] JPEG AV Detection
> What exactly are the AV products detecting in the JPEG exploits? Barry
> and I was talking about how impressed we were that the AV companies
> jumped on this one and detection was pretty fast. But is the detection
> so generic that a variant will bypass? Is the detection based on a
> original exploit that could be modified in a way that makes it
> "undetectable" right now?
If they are any decent then they'll check for incorrect values in comment
size fields. It's very easy to detect it since value has to be 0 or 1 in
order to exploit the vulnerability.
A little problem is that comment size field can be in any section of the
JPEG, not just at the beginning (as in the original exploit), but I supposed
that AV vendors caught this.
Full-Disclosure is hosted and sponsored by Secunia.