Re: New JPG GDI+ Vulnerability

dblairii · ‎09-15-2004

See USCert (VU#297462) http://www.kb.cert.org/vuls/id/297462

Is there a signature about to be released to detect these malformed JPG/JPEG attachments?

Thanks,

Don

mcerha · ‎09-15-2004

Here is a regex that can be used to detect the MS04-028 vulnerability. My advice would be to create a STRING.TCP signature looking for HTTP return traffic (from port 80). I would recommend starting only with this signature.

\xFF\xD8[\x00-\xFF][\x00-\xFF][\x00-\xFF][\x00-\xFF]JFIF[\x00-\xFF]+\xFF\xFE\x00[\x00\x01]

Here are some caveats dealing with this situation:

1) False postives

First, there are multiple attack vectors (HTTP, SMTP, etc). Second, properly identifying JPEG files in the traffic. The sensor currently only has a limited capacity to determine if it is inspecting a JPEG file or not. The regex design tries to compensate for this, but it is no guarantee.

2) Perfomance

Because of the multiple attack vectors and need to inspect deep into data payloads, adding too many signatures with the regex will likely cause a significant performance hit.

Due to the nature of this vulnerability, we believe that it is unlikely to be widely exploited in the wild beyond a DoS attack due to the complexity of exploiting a heap overflow. Cisco will provide a production signature when and if evidence of a credible exploit technique becomes available.

ishah · ‎10-01-2004

Is Cisco Threat Response going to get an agent update for MS04-028.

brok3n · ‎10-01-2004

Any reason that Cisco doesn't just give up and use the snort signatures? The true value of the IDS is the ability to parse large volumes of data streams, not the IP locked up in the signature creation. The snort signatures are superior to either of the offerings Cisco has come up with to date. The original jpeg sig was looking for essentially a bunch of binary nop's. That sig fired all over everywhere on many benign images that were binary matches for the Cisco regex.

The new Cisco sig is just as flawed. The snort signature that we have been testing is 9 bytes long and hasn't falsed once in our tests and positively identified the numerous "live" exploit jpegs we tested it with. The Cisco regex's continue to incorrectly identify benign jpegs.

-wP

ishah · ‎10-02-2004

This is the exact reason a Threat Response Agent would help.

The IDS would fire up the alarm - Threat response can check the system to see if it is vulnerable to the exploit and hence the issue of false alarms becomes unimportant.

brok3n · ‎10-03-2004

How about get it right the first time and dont make me buy any more junk for my enterprise?

Seriously -- the signatures should be as accurate and thin (read: short). The snort team has hundreds of contributors all over the planet that have many more man hours than any given commercial entity available to write these signatures -- why doesnt Cisco leverage that mind-share and do some sig validation or something? Help us Wheel Group!

We are implementing our snort sig in the mean time.

-wP!

ishah · ‎10-03-2004

Threat Response is free. BTW There is a TRONS module in ISS software which reads snort signatures. Such a feature in Cisco IDS would be great.