[转载]Multi-Vendor AntiVirus Gateway Image Inspection Bypass

信息来源：www.securiteam.com

Summary
A vulnerability has been discovered which allows a remote attacker to bypass anti-virus (as well other security technologies such as IDS and IPS) inspection of HTTP image content. By leveraging techniques described in RFC 2397 for base64 encoding image content within the URL scheme. A remote attacker may encode a malicious image within the body of an HTML formatted document to circumvent content inspection.

Credit:
The information has been provided by Darren Bounds.

Details
The source code at the URL http://www.securiteam.com/exploits/5EP0M0KE0W.html will by default create a JPEG image that will attempt (and fail without tweaking) to exploit the Microsoft MS04-028 GDI+ vulnerability. The image itself is detected by all AV gateway engines tested (Trend, Sophos and McAfee), however, when the same image is base64 encoded using the technique described in RFC 2397 (documented below), inspectionis not performed and is delivered rendered by the client.

While Microsoft Internet Explorer does not support the RFC 2397 URL scheme; Firefox, Safari, Mozilla and Opera do and will render the data and thus successfully execute the payload if the necessary OS and/or application patches have not been applied.

Exploit:
http://www.eviloctal.com/forum/read.php?tid=6737