JPEG Virus

[Spicer, Kevin]

-----Original Message-----
From: Matt Kehler [mailto:mkehler at WRHA.MB.CA] 
>>ClamAV 0.80rc3 successfuly detects JPEG files with modified comment 
>>section that allows attackers to remotely execute arbitrary code on
>>>

>I assume this means it will work 'out of the box', and the comment
section it talks 
>about is *already* modified?  Its not too clear on that, and the
website doesn't say. 

The comment section it refers to is the embedded comment section in a
jpeg file.  The exploit works because the jpeg specification specifies
that a comment starts with the values fffe (2 bytes in hex) followed by
two bytes which indicate the length of the comment.  The two byte length
field is included in the total length, therefore the minimum length is
two bytes.  The expolit works by setting the indicated length to an
invalid 0 or 1 bytes.



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).