[Snort-sigs] PNG vulnerabilities and more
jstewart at ...5...
Thu Aug 19 14:30:03 EDT 2004
On Thursday 19 August 2004 4:10 pm, Joseph Gama wrote:
> I can see that you based your rule on the source code
> with the else if vulnerability. I based mine on the
> code and comments from the exploit which is why you
> look for PLTE while I look for the 0x03 because:
> * to 0x03, byte 10 of the IHDR data. that signfies
> that a PALLETE chunk should
> * be present. but we dont have one, and that is how
> the len check is bypassed.
> I tested my rule and it detects pngtest_bad.png, plus
> I browsed through hundreds of PNG's and got no false
> positives. I haven't tested yours, I didn't see it
Based on that it sounds like yours will false-positive on many
transparent PNGs, since you're checking to see if the PLTE is required,
but not checking to see if it is actually missing. Attached is a normal
transparent PNG that gives a false positive on your sig in my tests.
Joe Stewart, GCIH
Senior Security Researcher
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1744 bytes
Desc: not available
More information about the Snort-sigs