[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability.

To: "bipin gautam" <visitbipin@xxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: RE: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability.
From: "Steve Scholz" <steve_scholz@xxxxxxxxxx>
Date: Fri, 11 Mar 2005 18:00:00 -0500

You are correct by doing this you are marking the zip file as encrypted.

Your option at this time is to turn on the feature delete encrypted
compressed files.

Fri Mar 11 17:59:02 2005 (4320-4292), "INFORMATION: Internet scan found
virus:

   Folder: SMTP Messages\Internal

   Message: test

   File: gpbf.zip

   Incident: EncryptedCompressedFile

   State: Removed"


Steve Scholz
Corporate Sales Engineer-North America
Sybari Software, Inc.
631-630-8556 Direct
516-903-2464 Mobile

Email:  Steve_scholz@xxxxxxxxxx

MSN IM:Steve_Scholz@xxxxxxx (email never checked) 





-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of bipin
gautam
Sent: Friday, March 11, 2005 10:55 AM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Cc: vuln@xxxxxxxxxxx
Subject: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32
BypassVulnerability.

In Local file header if you modify "general purpose
bit flag" 7th & 8'th byte of a zip archive with \x2f
ie: "\" F-port, Kaspersky, Mcafee, Norman, Sybari,
Symantec seem to skip the file marking it as clean!!!
This was discoverd during the analysis of "Multiple AV
Vendor Incorrect CRC32 Bypass Vulnerability."

Quick/rough conclusion were drawn using
www.virustotal.com

poc: http://www.geocities.com/visitbipin/gpbf.zip

regards,
bipin gautam





                
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Follow-Ups:
- RE: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability.
  - From: bipin gautam

Prev by Date: Re: [Full-disclosure] Stealing Free Articles and Auctioning It
Next by Date: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability.
Previous by thread: [Full-disclosure] RE: Multiple AV Vendor Incorrect CRC32 BypassVulnerability.
Next by thread: RE: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability.
Index(es):
- Date
- Thread