웹 서핑중에 firewall 에 가끔 GDI+JPEG Vulnerability 가 잡히는 경우가 있다.
XP 용 패치를 이미 하고 사용하기 때문에 별로 신경 쓰지 않았는데, 최근 들어 자주 가는 사이트에서 잡히다 보니 firewall 이 이 사이트를 종종 차단하곤 한다.
Attempt 내용은 다음과 같다.
Microsoft Multiple Application/OS GDI+ JPEG Processing Buffer Overflow Vulnerability attempt detected (CAN-2004-200)
googling 해보니 jpeg 파일이 어쨎든 손상되거나 (infected) 또는 specially-crafted 되어서 그런 것이니, 문제가 있는 경우에는 이미지를 복구하는게 좋겠다.
여기 JPEGScan 을 이용하면 이미지를 검사하고 복구할 수 있다.
물론 Freeware.
----------------------------------------------------------------------------------------
A Free Detection & Repair Scanner for
Exploit.MS04-028 (GDIPlus JPEG Vulnerability)
http://www.diamondcs.com.au/jpegscan
JPEGScan
A Free Detection & Repair Scanner for
Exploit.MS04-028 (GDIPlus JPEG Vulnerability)
--------------------------------------------------------------------------------
To support our work please try a free evaluation of some of our software ...
PORT EXPLORER - Advanced socket analysis and monitoring made easy
PROCESS GUARD - A true kernel-level process security system for Windows
NEW: Just released!! ProcessGuard 3.150
--------------------------------------------------------------------------------
What is the MS04-028 JPEG exploit?
On September 14 2004, Nick DeBaggis discovered a buffer overrun vulnerability in gdiplus.dll - a library used by many common applications (including most Microsoft applications) for viewing JPEG images. Subsequent analysis by the eEye team confirmed that the vulnerability could be exploited to execute arbitrary code, allowing an attacker to gain control of a remote system simply by enticing the victim to look at a specially-crafted JPEG image. MS04-028 is the tracking code assigned by Microsoft to this specific vulnerability.
So infection can occur simply by looking at a JPEG?
If the program used to view the JPEG file uses a vulnerable version of gdiplus.dll then yes, and unfortunately a lot of software is affected. To scan for vulnerable versions of gdiplus.dll on your system please see these resources: Microsoft SANS
What is JPEGScan?
DiamondCS JPEGScan is a free, small, fast and easy-to-use scanner that has detection and repair capabilities for JPEG files infected with the MS04-028 exploit. It can detect all known variants of the exploit, and accomplishes this not by string searching or anti-viral signature scanning but rather by properly walking through all blocks in the JPEG searching for the undersized boundaries in comment sections that indicates the presence of MS04-028 infection. Repairing renders the file harmless by readjusting undersized boundaries to their proper size, and if the file was based on a real JPEG then it should also become viewable. If you simply want infected files deleted rather than repaired, JPEGScan can handle that also. JPEGScan also allows for one-click integration into Explorer's context menu, allowing you to easily right-click on any file, directory or drive and start scanning immediately for infected JPEG images. Although all users will find this tool useful, network administrators in particular will enjoy being able to sweep entire networks for infected images. For reasons of speed, optimization and accuracy, the main scan routines were written in assembly language, making JPEGScan basically as fast as it possibly can be.
Main Uses
- Detecting infected images, with the option to save results to a textfile
- Deleting infected images
- Repairing/disinfecting infected images, allowing them to become viewable again if they were originally based on a real image
- Scanning images to ensure they're clean before sending them to potentially-vulnerable friends and colleagues
- Administrators can easily sweep their networks for images using the console version
- It's a tiny download and 100% free so it's easy to send to help friends and colleagues
Download
JPEGScan consists of just one tiny independent file (jpegscan.exe), making it quick and easy to send to friends and colleagues. It is available in two user interfaces - a classic Windows application (GUI) and a console application (CUI).
Current version: v1.01 (22 Oct 2004)
Graphical version
DOWNLOAD 28kb jpegscan-gui.zip
ZIPfile MD5: 86DCD690942165F54D019FCE86BEE048
Console version (Administrators and advanced users)
DOWNLOAD 21kb jpegscan-cui.zip
ZIPfile MD5: 1EAA407A306734422065608337A21DCB
Demonstration
We've crafted a JPEG file allowing you to test JPEGScan's detection/repair capabilities as well as test for system vulnerability. The demonstration contains no "shellcode" and thus doesn't exploit the vulnerability by executing code, making it ideal for safe testing purposes. However, due to the buffer overrun nature of the vulnerability it will cause the process of the viewing program (ie. Explorer) to crash, typically within 30 seconds.
DOWNLOAD 4kb ms04-028demo.zip
ZIPfile MD5: 2E4C5C2662FF380B57832ADA279A58A2
Note for researchers: This particular variant uses the FFFE0000 variation, but all other known variations are also detected by JPEGScan.
Freeware
It is our privilege to place JPEGScan in the public domain, making it free for use in both personal and commercial/business environments. Please share it with your friends and colleagues to help reduce the number of infections being caused by this critical exploit.
Help & Support
As JPEGScan is provided for free and available internationally we regret we are unable to provide general support, so please direct questions to your favorite security forum or newsgroup. JPEGScan has been designed to be very easy to use so most users won't encounter any issues. However, technical feedback/issues are welcome and can be directed to the Technical Contact listed below.
Technical Contact: jpegscan (at) diamondcs.com.au
Copyright © 2004, DiamondCS
www.diamondcs.com.au
XP 용 패치를 이미 하고 사용하기 때문에 별로 신경 쓰지 않았는데, 최근 들어 자주 가는 사이트에서 잡히다 보니 firewall 이 이 사이트를 종종 차단하곤 한다.
Attempt 내용은 다음과 같다.
Microsoft Multiple Application/OS GDI+ JPEG Processing Buffer Overflow Vulnerability attempt detected (CAN-2004-200)
googling 해보니 jpeg 파일이 어쨎든 손상되거나 (infected) 또는 specially-crafted 되어서 그런 것이니, 문제가 있는 경우에는 이미지를 복구하는게 좋겠다.
여기 JPEGScan 을 이용하면 이미지를 검사하고 복구할 수 있다.
물론 Freeware.
----------------------------------------------------------------------------------------
A Free Detection & Repair Scanner for
Exploit.MS04-028 (GDIPlus JPEG Vulnerability)
http://www.diamondcs.com.au/jpegscan
JPEGScan
A Free Detection & Repair Scanner for
Exploit.MS04-028 (GDIPlus JPEG Vulnerability)
--------------------------------------------------------------------------------
To support our work please try a free evaluation of some of our software ...
PORT EXPLORER - Advanced socket analysis and monitoring made easy
PROCESS GUARD - A true kernel-level process security system for Windows
NEW: Just released!! ProcessGuard 3.150
--------------------------------------------------------------------------------
What is the MS04-028 JPEG exploit?
On September 14 2004, Nick DeBaggis discovered a buffer overrun vulnerability in gdiplus.dll - a library used by many common applications (including most Microsoft applications) for viewing JPEG images. Subsequent analysis by the eEye team confirmed that the vulnerability could be exploited to execute arbitrary code, allowing an attacker to gain control of a remote system simply by enticing the victim to look at a specially-crafted JPEG image. MS04-028 is the tracking code assigned by Microsoft to this specific vulnerability.
So infection can occur simply by looking at a JPEG?
If the program used to view the JPEG file uses a vulnerable version of gdiplus.dll then yes, and unfortunately a lot of software is affected. To scan for vulnerable versions of gdiplus.dll on your system please see these resources: Microsoft SANS
What is JPEGScan?
DiamondCS JPEGScan is a free, small, fast and easy-to-use scanner that has detection and repair capabilities for JPEG files infected with the MS04-028 exploit. It can detect all known variants of the exploit, and accomplishes this not by string searching or anti-viral signature scanning but rather by properly walking through all blocks in the JPEG searching for the undersized boundaries in comment sections that indicates the presence of MS04-028 infection. Repairing renders the file harmless by readjusting undersized boundaries to their proper size, and if the file was based on a real JPEG then it should also become viewable. If you simply want infected files deleted rather than repaired, JPEGScan can handle that also. JPEGScan also allows for one-click integration into Explorer's context menu, allowing you to easily right-click on any file, directory or drive and start scanning immediately for infected JPEG images. Although all users will find this tool useful, network administrators in particular will enjoy being able to sweep entire networks for infected images. For reasons of speed, optimization and accuracy, the main scan routines were written in assembly language, making JPEGScan basically as fast as it possibly can be.
Main Uses
- Detecting infected images, with the option to save results to a textfile
- Deleting infected images
- Repairing/disinfecting infected images, allowing them to become viewable again if they were originally based on a real image
- Scanning images to ensure they're clean before sending them to potentially-vulnerable friends and colleagues
- Administrators can easily sweep their networks for images using the console version
- It's a tiny download and 100% free so it's easy to send to help friends and colleagues
Download
JPEGScan consists of just one tiny independent file (jpegscan.exe), making it quick and easy to send to friends and colleagues. It is available in two user interfaces - a classic Windows application (GUI) and a console application (CUI).
Current version: v1.01 (22 Oct 2004)
Graphical version
DOWNLOAD 28kb jpegscan-gui.zip
ZIPfile MD5: 86DCD690942165F54D019FCE86BEE048
Console version (Administrators and advanced users)
DOWNLOAD 21kb jpegscan-cui.zip
ZIPfile MD5: 1EAA407A306734422065608337A21DCB
Demonstration
We've crafted a JPEG file allowing you to test JPEGScan's detection/repair capabilities as well as test for system vulnerability. The demonstration contains no "shellcode" and thus doesn't exploit the vulnerability by executing code, making it ideal for safe testing purposes. However, due to the buffer overrun nature of the vulnerability it will cause the process of the viewing program (ie. Explorer) to crash, typically within 30 seconds.
DOWNLOAD 4kb ms04-028demo.zip
ZIPfile MD5: 2E4C5C2662FF380B57832ADA279A58A2
Note for researchers: This particular variant uses the FFFE0000 variation, but all other known variations are also detected by JPEGScan.
Freeware
It is our privilege to place JPEGScan in the public domain, making it free for use in both personal and commercial/business environments. Please share it with your friends and colleagues to help reduce the number of infections being caused by this critical exploit.
Help & Support
As JPEGScan is provided for free and available internationally we regret we are unable to provide general support, so please direct questions to your favorite security forum or newsgroup. JPEGScan has been designed to be very easy to use so most users won't encounter any issues. However, technical feedback/issues are welcome and can be directed to the Technical Contact listed below.
Technical Contact: jpegscan (at) diamondcs.com.au
Copyright © 2004, DiamondCS
www.diamondcs.com.au
invalid-file
invalid-file'정보기술 > 일반' 카테고리의 다른 글
| [스크랩] 디카족을 위한 필수 프로그램10선 (0) | 2005.12.20 |
|---|---|
| [스크랩] 5042 [정보] 23, 24인치 모니터로 풀 해상도 게임을 즐기자! (0) | 2005.11.18 |
| 테터에서 최근 게시물 불러오기 (0) | 2005.09.01 |
| 제로보드 DB -> 테터용 DB 변환툴 (0) | 2005.08.18 |
| Skype, 미국등 수신자 부담 무료 전화가 가능 (0) | 2005.08.02 |