On Sep 30, 2004, at 1:08 PM, ralf bosz wrote:
I have just upgraded to the latest version of ClamAV that is said to
be able
to detect the new JPEG vulnerability. I'm using ClamAV with
MailScanner to
scan e-mail. How can I test to see if ClamAV is indeed detecting the
JPEG
exploit?
Download an exa
>Download an example here: http://www.easynews.com/virus.html (watch it,
it's a real virus, don't open it on unpatched >system, it may crash your
pc) and scan it, or check the logging for Exploit.JPEG.
Thanks Ralf. I downloaded the example and just left it zipped up. I sent the
zipped fil
Rodney Green wrote:
> Greetings!
>
> I have just upgraded to the latest version of ClamAV that is said to
> be able to detect the new JPEG vulnerability. I'm using ClamAV with
> MailScanner to scan e-mail. How can I test to see if ClamAV is indeed
> detecting the JPEG exploit?
>
> Thanks,
> Rod
> I have just upgraded to the latest version of ClamAV that is said to be able
> to detect the new JPEG vulnerability. I'm using ClamAV with MailScanner to
> scan e-mail. How can I test to see if ClamAV is indeed detecting the JPEG
> exploit?
Download an example here: http://www.easynews.com/virus
Greetings!
I have just upgraded to the latest version of ClamAV that is said to be able
to detect the new JPEG vulnerability. I'm using ClamAV with MailScanner to
scan e-mail. How can I test to see if ClamAV is indeed detecting the JPEG
exploit?
Thanks,
Rod
Kevin Spicer wrote:
>
> they have to follow each other fffe denotes the start of a jpeg comment
> field and the following two bytes indicate its length. The exploit is
> to specify a length of zero or one byte. Inside a jpeg file the
> sequence fffe _always_ indicates the start of a comment, th
On Sat, 2004-09-18 at 06:25, Matt wrote:
> One last question, do the fffe 000(0|1) bytes
> always have to follow each other for this exploit, or is this just a pure
> example of the possibility of this exploit?
they have to follow each other fffe denotes the start of a jpeg comment
field and the f
> 0xFFFE is the comment Marker in a JPEG. So it's not that bad to
> detect. It ist followed by the length field. With is where the
> Problem occures. So you have to detect the following sequence from
> the beginning of the JPEG.
>
> ffd8 <- SoI marker
> ffe0 <- APP0 marker
> 0010 <- lenght of APP0
> Daniel Lord wrote:
>
> >
> > Not shure if I got your question right. Hexedit is the tool to get
> > the bytes (not strings). The rest is knowlegde of the JFIF
> > fileformat. And some (>2) samples to prove that the format is
> > implemented widely this way. :)
>
> Sorry if my question wa
On Fri, 17 Sep 2004 17:21:26 +0200
Daniel Lord <[EMAIL PROTECTED]> wrote:
> Hi List,
>
> On Fri, Sep 17, 2004 at 03:31:25PM +0200, Daniel Lord wrote:
> > those two are valid and (IMHO) catch the xploit in JFIF and EXIF but
> > may also produce false positives. Just test them.
>
> Those signature
On Fri, 2004-09-17 at 16:21, Daniel Lord wrote:
> Those signatures don't catch the poc xploit found at
> http://www.gulftech.org/?node=downloads. But maybe it's better to
> leave this alone till there are real worms etc. to produce good
> signatures. At the moment clamav sigs don't seem good enough
Daniel Lord wrote:
> > I'm going to have to ask, what base system util will extract the info
> > from a jpeg to allow you to examine for these strings?
>
> Not shure if I got your question right. Hexedit is the tool to get
> the bytes (not strings). The rest is knowlegde of the JFIF
> fileformat
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Daniel
> Lord
>
>
> Those signatures don't catch the poc xploit found at
> http://www.gulftech.org/?node=downloads. But maybe it's better to
> leave this alone till there are real worms etc. to produce good
Hi Matt,
On Fri, Sep 17, 2004 at 03:43:34PM +0100, Matt wrote:
> Daniel Lord wrote:
> > 0xFFFE is the comment Marker in a JPEG. So it's not that bad to
> > detect. It ist followed by the length field. With is where the
> > Problem occures. So you have to detect the following sequence from
> > the
Hi List,
On Fri, Sep 17, 2004 at 03:31:25PM +0200, Daniel Lord wrote:
> those two are valid and (IMHO) catch the xploit in JFIF and EXIF but may also
> produce false positives. Just test them.
Those signatures don't catch the poc xploit found at
http://www.gulftech.org/?node=downloads. But maybe
Daniel Lord wrote:
> 0xFFFE is the comment Marker in a JPEG. So it's not that bad to
> detect. It ist followed by the length field. With is where the
> Problem occures. So you have to detect the following sequence from
> the beginning of the JPEG.
>
> ffd8 <- SoI marker
> ffe0 <- APP0 marker
> 00
On Fri, Sep 17, 2004 at 01:07:25PM +0200, Tomasz Kojm wrote:
> On Fri, 17 Sep 2004 07:59:51 +0100
> Kevin Spicer <[EMAIL PROTECTED]> wrote:
> > bytes a * will match?
>
> Yes, there is (but only supported by the development versions). The
> format is HEX1{limit}HEX2, and possible limits are:
>
>
Hi Kevin,
On Fri, Sep 17, 2004 at 07:59:51AM +0100, Kevin Spicer wrote:
> On Fri, 2004-09-17 at 03:02, Tomasz Kojm wrote:
> > > Okay, well I've found an easier to understand source...
> > > http://www.funducode.com/freec/Fileformats/format3/format3b.htm
> > > and it seems that the particular explo
On Fri, 17 Sep 2004 07:59:51 +0100
Kevin Spicer <[EMAIL PROTECTED]> wrote:
> (correct?). Perhaps this information could be added to
> signatures.pdf? Is there a limit (and if so what is it) to how many
All signature formats will be described in details in the new
documentation.
> bytes a * will
On Fri, 2004-09-17 at 03:02, Tomasz Kojm wrote:
> > Okay, well I've found an easier to understand source...
> > http://www.funducode.com/freec/Fileformats/format3/format3b.htm
> > and it seems that the particular exploit byte sequence would be unique
> > within jpeg files. I've also tracked down d
On Thu, 16 Sep 2004 22:58:54 +0100
Kevin Spicer <[EMAIL PROTECTED]> wrote:
> On Thu, 2004-09-16 at 22:24, Kevin Spicer wrote:
> > It looks like there are two possible four byte sequences that can
> > trigger the exploit. I guess this is probably too small to avoid an
> > unacceptable level of fal
On Thu, 2004-09-16 at 22:24, Kevin Spicer wrote:
> It looks like there are two possible four byte sequences that can
> trigger the exploit. I guess this is probably too small to avoid an
> unacceptable level of false positives(?) Presumably this could be
> combined with the 'magic' numbers for jp
I guess everyones heard about the jpeg vulnerability in certain
Microsoft products? CERT have put out an advisory, and it is being
ranked as critical.
Now I know that strictly speaking this isn't a virus, its a
vulnerability - but there have been, in the past, signatures added for
some exploits
23 matches
Mail list logo
