[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [security] [Full-disclosure] Mozilla Foundation GIF Overflow
- To: "Armstrong, Richard (ISS Texas)" <rarmstrong@xxxxxxx>
- Subject: RE: [security] [Full-disclosure] Mozilla Foundation GIF Overflow
- From: Steven Rakick <stevenrakick@xxxxxxxxx>
- Date: Mon, 28 Mar 2005 10:54:38 -0800 (PST)
Hi Richard,
Thanks for the email.
Based on what you're saying, things have changed then
since: http://xforce.iss.net/xforce/xfdb/18882. In
that URL, Proventia A, G and M series are listed as
affected.
I'm not quite sure why it would affect the AV engine,
but not the IPS engine unless you're looking at the
content in a different manner. Can you explain what
you're doing differrently now? Are you inspecting all
RFC 2397 embedded data?
Steve
--- "Armstrong, Richard (ISS Texas)"
<rarmstrong@xxxxxxx> wrote:
> The trick below is a way to get around AV Gateways
> but not Intrusion
> Prevention Systems. The M Series is our multi
> function box. So while
> the GIF would have made if pass the AV Gateway
> module it would not have
> made it past the IPS module. The FW and IPS module
> come with all M
> Series appliances for free.
>
> Our A and G Series appliances do not have AV
> Gateways and were not
> vulnerable to the below.
>
> R
>
> Richard Armstrong, CISSP
> Director Systems Engineering
> Western Region
> Internet Security Systems
> Mobile: 469-556-5513
> rarmstrong@xxxxxxx
>
>
>
> -----Original Message-----
> From: security-bounces@xxxxxxxxxxxxxxxxxx
> [mailto:security-bounces@xxxxxxxxxxxxxxxxxx] On
> Behalf Of Steven Rakick
> Sent: Friday, March 25, 2005 2:40 PM
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [security] [Full-disclosure] Mozilla
> Foundation GIF Overflow
>
> Hi all,
>
> I was just glancing at the Internet Security Systems
> website and I
> noticed the following statement "ISS provides Ahead
> of the Threat
> protection for Mozilla and Firefox Browsers".
>
> Clicking the related link they mention that ISS
> Network Sensor 7.0,
> Proventia A and G100, G400, G200, G1200, G2000 and M
> series all provide
> "preemptive protection for these vulnerabilities".
>
> I remember a couple months ago, Darren Bounds from
> Intrusense released
> an advisory regarding weak support for inspecting
> base64 encoded images
> in AV, IDS and IPS technologies (ISS being one of
> the them).
> (Advisory:
>
http://www.intrusense.com/av-bypass/image-bypass-advisory.txt)
>
> My question is this. Did ISS ever add support for
> detecting this RFC
> 2397 images or are they going to pass through
> undetected? Mozilla and
> Firefox both support this spec so it seems like a
> very trivial attack
> vector to exploit... once again.
>
> Also, what other vendors have now added support for
> RFC 2397 inspection?
>
>
> Any insight would be greatly appreciated.
>
> Steve
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Small Business - Try our new resources site!
> http://smallbusiness.yahoo.com/resources/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
> _______________________________________________
> security mailing list
> security@xxxxxxxxxxxxxxxxxx
> http://lists.seifried.org/mailman/listinfo/security
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/