[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Multiple AV Vendor Incorrect CRC32 BypassVulnerability.
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Multiple AV Vendor Incorrect CRC32 BypassVulnerability.
- From: bipin gautam <visitbipin@xxxxxxxxx>
- Date: Fri, 11 Mar 2005 07:04:21 -0800 (PST)
eicar.com.txtX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TE
>
<mailto:eicar.com.txtX5O!P%25@AP%5b4\PZX54(P%5e)7CC)7%7d$EICAR-STANDARD-
> ANTIVIRUS-TE> in the text file rather then a valid
> eicar.
yap, i admit; i was uploaded the file... and soon
relized i uploaded the wrong file. But, i think for
altest about 30 minutes i couldn't do anything cauz i
was still getting the "OLD" damaged POC from geocities
cache "i guess" So, i instead later put a message,
last updated time, (UPDATED: 5:40:00 GMT, Friday,
March 11, 2005 ) at,
http://www.geocities.com/visitbipin/crc.html
CHECKED, & double-checked using virustotal.com lately
and found Sybari 7.5.1314 vulnerable!
> Well, technically these would be separate
> vulnerabilities, wouldn't you say?
well... you can modify general purpose bit flag of,
last mod file time, last mod file date,general purpose
bit flag, compression method [NOT: compression method
or that will damage the archive] i replace them with
"\x2f".
md5sum of the updated POC.
4888816c4931002a6027ccd7b1025a94
The one tool that i am currently using that
automatically repare a broken archive (During
extraction) is "Download accelerator plus: 5.3.9.8"
with just a simple warning about the mis-match CRC
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/