From: THORNTON Simon (Simon.THORNTON@swift.com)
Date: Wed Nov 21 2007 - 06:56:38 EST
Hi,
I'm not sure that you can say categorically that it is out of the
question to fax a virus. From a conventional fax machine or a scanner I
would agree but via the use of raw fax files I'm not so sure.
I seem to remember, maybe incorrectly, that a G3 Fax (CCITT T.4)
transmission uses a modified form of TIFF file for each page image it
sends. The page header is sent during the 300 baud handshake phase that
precedes each page. If the target system had software with a
vulnerability in the receiving software then it might be theoretically
possible to compromise that system.
I haven't verified this but you could produce the base component of this
as follows:
convert MYPIC.gif MYPIC.pbm
pbm2g3 MYPIC.pbm >MYPIC.g3
Where:
MYPIC.gif is any source document/image you want to use
You would then modify MYPIC.g3 to contain a buffer overflow or similar
and then send it using fax s/w (sendfax?) that supports raw g3 file
sending.
Inserting data into the page header sequence might also be an avenue of
research.
I don't imagine it working on a standard fax machine but fax software
running on a PC?.
Just a thought.... :-)
Simon
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of cwright@bdosyd.com.au
Sent: Sunday, November 18, 2007 08:55
To: pen-test@securityfocus.com
Subject: Re: FAX virus
I have though about this for a while following some of the earlier
posts.
Faxing a virus is out of the question and I have not seen anything to
state the contrary. I have thought of an alternate path to loading a
virus bases on a network OCR'd fax server. In the scenario, we have to
assume that the system is sending the output to a web front end or HTTP
enabled email (not that uncommon).
There are a few assumptions that I will place first.
- The system has no input filters and prints all characters to the
email, web app.
- The OCR engine is highly accurate and does not add spaces etc.
- The email or web app displays exactly what it received
Now given that scenario, we have a possible XSS (cross-site-scripting)
attack.
If there are no filters for an outgoing connection (i.e. no
firewall/proxy that strips scripts) and the client browser/email
application allows access to the Internet, the attacker could create a
script in the page that makes a call to an external system to download a
file.
In a simple scenario, an AV server on the proxy level should get this.
However, a script could also embed a simple XOR obfuscation key to
modify the downloaded code. On the web server it would be inert. When
XOR'd with the key in the script (after being downloaded and installed),
this will thus bypass the AV server (if there is one) and install the
malware on the users system.
So the faxing of the virus is still out of the equation, but it does
allow an infection (or other attack) vector.
Regards,
Dr Craig Wright (GSE-Compliance)
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:13 EDT