[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability.
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>, "'bipin gautam'" <visitbipin@xxxxxxxxx>
- Subject: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability.
- From: "Randall M" <randallm@xxxxxxxxxxx>
- Date: Fri, 11 Mar 2005 18:19:37 -0600
I scanned the file with McAfee 8.0i and it end up stating that it couldn't
scan the EICAR.COM file because it was encrypted. Was this your
Intention?
------------------------------
Message: 16
Date: Fri, 11 Mar 2005 07:55:28 -0800 (PST)
From: bipin gautam <visitbipin@xxxxxxxxx>
Subject: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32
Bypass Vulnerability.
To: full-disclosure@xxxxxxxxxxxxxxxxx
Cc: vuln@xxxxxxxxxxx
Message-ID: <20050311155528.91205.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii
In Local file header if you modify "general purpose
bit flag" 7th & 8'th byte of a zip archive with \x2f
ie: "\" F-port, Kaspersky, Mcafee, Norman, Sybari,
Symantec seem to skip the file marking it as clean!!!
This was discoverd during the analysis of "Multiple AV
Vendor Incorrect CRC32 Bypass Vulnerability."
Quick/rough conclusion were drawn using
www.virustotal.com
poc: http://www.geocities.com/visitbipin/gpbf.zip
regards,
bipin gautam
.....................................
RandallM
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/