[Snort-sigs] PNG vulnerabilities and more

Joe Stewart jstewart at ...5...
Thu Aug 19 14:30:03 EDT 2004


On Thursday 19 August 2004 4:10 pm, Joseph Gama wrote:
> I can see that you based your rule on the source code
> with the else if vulnerability. I based mine on the
> code and comments from the exploit which is why you
> look for PLTE while I look for the 0x03 because:
>
> * to 0x03, byte 10 of the IHDR data. that signfies
> that a PALLETE chunk should
>  * be present. but we dont have one, and that is how
> the len check is bypassed.
>
> I tested my rule and it detects pngtest_bad.png, plus
> I browsed through hundreds of PNG's and got no false
> positives. I haven't tested yours, I didn't see it
> before.

Based on that it sounds like yours will false-positive on many 
transparent PNGs, since you're checking to see if the PLTE is required, 
but not checking to see if it is actually missing. Attached is a normal 
transparent PNG that gives a false positive on your sig in my tests.

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-transparent.png
Type: image/png
Size: 1744 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040819/efbd7cf8/attachment.png>


More information about the Snort-sigs mailing list