[Dshield] GIF89a packets, possibly a variation on the ZeroWidth GIF exploit

Taylor, Graham GrahamTaylor at michaelpage.com
Fri Sep 27 13:51:14 GMT 2002


Been doing a little digging and it looks as though these packets may be a
variation on the ZeroWidth GIF exploit, as I don't have a complete dump of
the GIF file I am unable to say definitively that this is the case, but I
have downloaded a gif file used in the above exploit, and examined the C
code used to produce the file, and it all looks very similar, apart from the
header being changed to GIF89a instead of GIF87a


Original message below



Below is a packet dump from our snort IDS, the strange thing about this
packet is that it is from a dial-up user to our webserver on port 80, the
user appears to be sending us a GIF89a file, but after examining a GIF89a
file produced by "Paintshop Pro" the format does not look correct, and why
would somebody connecting to our server be sending a GIF to us?

The packet is obviously NOT a CGI scriptalias attempt, but the format of a
series of consecutive characters in groups of 3 does look a little
suspicious!

TIA Graham


Generated by ACID v0.9.6b13 on Thu September 26, 2002 11:17:04

----------------------------------------------------------------------------
--
#(7 - 111) [2002-09-26 11:46:10] [CVE/CVE-1999-0236] [Bugtraq/2300]
[arachNIDS/227]  WEB-CGI scriptalias access
IPv4: 212.137.166.96 -> 172.16.100.10
      hlen=5 TOS=0 dlen=576 ID=40121 flags=0 offset=0 TTL=128 chksum=53497
TCP:  port=2195 -> dport: 80  flags=***A*R** seq=12091020
      ack=1360648059 off=5 res=0 win=16616 urp=0 chksum=44575
Payload:  length = 536

000 : 47 49 46 38 39 61 0F 00 01 00 F7 00 00 00 00 00   GIF89a..........
010 : 01 01 01 02 02 02 03 03 03 04 04 04 05 05 05 06   ................
020 : 06 06 07 07 07 08 08 08 09 09 09 0A 0A 0A 0B 0B   ................
030 : 0B 0C 0C 0C 0D 0D 0D 0E 0E 0E 0F 0F 0F 10 10 10   ................
040 : 11 11 11 12 12 12 13 13 13 14 14 14 15 15 15 16   ................
050 : 16 16 17 17 17 18 18 18 19 19 19 1A 1A 1A 1B 1B   ................
060 : 1B 1C 1C 1C 1D 1D 1D 1E 1E 1E 1F 1F 1F 20 20 20   .............   
070 : 21 21 21 22 22 22 23 23 23 24 24 24 25 25 25 26   !!!"""###$$$%%%&
080 : 26 26 27 27 27 28 28 28 29 29 29 2A 2A 2A 2B 2B   &&'''((()))***++
090 : 2B 2C 2C 2C 2D 2D 2D 2E 2E 2E 2F 2F 2F 30 30 30   +,,,---...///000
0a0 : 31 31 31 32 32 32 33 33 33 34 34 34 35 35 35 36   1112223334445556
0b0 : 36 36 37 37 37 38 38 38 39 39 39 3A 3A 3A 3B 3B   66777888999:::;;
0c0 : 3B 3C 3C 3C 3D 3D 3D 3E 3E 3E 3F 3F 3F 40 40 40   ;<<<===>>>???@@@
0d0 : 41 41 41 42 42 42 43 43 43 44 44 44 45 45 45 46   AAABBBCCCDDDEEEF
0e0 : 46 46 47 47 47 48 48 48 49 49 49 4A 4A 4A 4B 4B   FFGGGHHHIIIJJJKK
0f0 : 4B 4C 4C 4C 4D 4D 4D 4E 4E 4E 4F 4F 4F 50 50 50   KLLLMMMNNNOOOPPP
100 : 51 51 51 52 52 52 53 53 53 54 54 54 55 55 55 56   QQQRRRSSSTTTUUUV
110 : 56 56 57 57 57 58 58 58 59 59 59 5A 5A 5A 5B 5B   VVWWWXXXYYYZZZ[[
120 : 5B 5C 5C 5C 5D 5D 5D 5E 5E 5E 5F 5F 5F 60 60 60   [\\\]]]^^^___```
130 : 61 61 61 62 62 62 63 63 63 64 64 64 65 65 65 66   aaabbbcccdddeeef
140 : 66 66 67 67 67 68 68 68 69 69 69 6A 6A 6A 6B 6B   ffggghhhiiijjjkk
150 : 6B 6C 6C 6C 6D 6D 6D 6E 6E 6E 6F 6F 6F 70 70 70   klllmmmnnnoooppp
160 : 71 71 71 72 72 72 73 73 73 74 74 74 75 75 75 76   qqqrrrssstttuuuv
170 : 76 76 77 77 77 78 78 78 79 79 79 7A 7A 7A 7B 7B   vvwwwxxxyyyzzz{{
180 : 7B 7C 7C 7C 7D 7D 7D 7E 7E 7E 7F 7F 7F 80 80 80   {|||}}}~~~...
190 : 81 81 81 82 82 82 83 83 83 84 84 84 85 85 85 86   ................
1a0 : 86 86 87 87 87 88 88 88 89 89 89 8A 8A 8A 8B 8B   ................
1b0 : 8B 8C 8C 8C 8D 8D 8D 8E 8E 8E 8F 8F 8F 90 90 90   ................
1c0 : 91 91 91 92 92 92 93 93 93 94 94 94 95 95 95 96   ................
1d0 : 96 96 97 97 97 98 98 98 99 99 99 9A 9A 9A 9B 9B   ................
1e0 : 9B 9C 9C 9C 9D 9D 9D 9E 9E 9E 9F 9F 9F A0 A0 A0   ................
1f0 : A1 A1 A1 A2 A2 A2 A3 A3 A3 A4 A4 A4 A5 A5 A5 A6   ................
200 : A6 A6 A7 A7 A7 A8 A8 A8 A9 A9 A9 AA AA AA AB AB   ................
210 : AB AC AC AC AD AD AD AE                           ........




More information about the list mailing list