[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability.

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability.
From: bipin gautam <visitbipin@xxxxxxxxx>
Date: Fri, 11 Mar 2005 07:55:28 -0800 (PST)

In Local file header if you modify "general purpose
bit flag" 7th & 8'th byte of a zip archive with \x2f
ie: "\" F-port, Kaspersky, Mcafee, Norman, Sybari,
Symantec seem to skip the file marking it as clean!!!
This was discoverd during the analysis of "Multiple AV
Vendor Incorrect CRC32 Bypass Vulnerability."

Quick/rough conclusion were drawn using
www.virustotal.com

poc: http://www.geocities.com/visitbipin/gpbf.zip

regards,
bipin gautam





                
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Prev by Date: Re: [Full-disclosure] US pres election was hacked away by Dumbya&cabal. (fwd)
Next by Date: Re: [Full-disclosure] Nothing is real. Video makes it easy to fake anything!
Previous by thread: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability.
Next by thread: [Full-disclosure] [SPAM] Fw: Newest Internet Security Patch
Index(es):
- Date
- Thread