[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-disclosure] Re: Multiple AV Vendor IncorrectCRC32BypassVulnerability.
- To: "bipin gautam" <visitbipin@xxxxxxxxx>, <vuln@xxxxxxxxxxx>
- Subject: RE: [Full-disclosure] Re: Multiple AV Vendor IncorrectCRC32BypassVulnerability.
- From: "Steve Scholz" <steve_scholz@xxxxxxxxxx>
- Date: Sat, 12 Mar 2005 10:33:48 -0500
Sat Mar 12 10:26:35 2005 (4320-4292), "INFORMATION: Internet scan found
virus:
Folder: SMTP Messages\Internal
Message: test b
File: Antigen_b.zip
Incident: Large uncompressed size
State: Removed"
The Antigen_s.zip does not contain a valid Eicar this info when repaired
and opened is X5O!P%@AP[4\PZX
We did catch it with a file filter.
Sat Mar 12 10:32:29 2005 (4320-4292), "INFORMATION: Internet scan found
virus:
Folder: SMTP Messages\Internal
Message: Fw: test
File: Antigen_s.zip->eicar.com
Incident: FILE FILTER= *.com
State: Removed"
What was your intent with these files?
Steve Scholz
Corporate Sales Engineer-North America
Sybari Software, Inc.
631-630-8556 Direct
516-903-2464 Mobile
Email: Steve_scholz@xxxxxxxxxx
MSN IM:Steve_Scholz@xxxxxxx (email never checked)
-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of bipin
gautam
Sent: Saturday, March 12, 2005 2:58 AM
To: Steve Scholz; vuln@xxxxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx; vuldb@xxxxxxxxxxxxxxxxx
Subject: RE: [Full-disclosure] Re: Multiple AV Vendor
IncorrectCRC32BypassVulnerability.
> While it might be a vulnerability if the file is
> extracted which it hasto be to be executed the
> desktop scanner will detect it at that time.
> Multiple layers of defense is your best option
> As far as number 3 Antigen detects Eicar.
YAP, i never reported Antigen vulnerable to the 3'rd
one.
Though, In Local file header if you modify "general
purpose bit flag" 7th & 8'th byte of a zip archive
with \x2f Antigen is also seem to be vulnerable! While
most unzip utilities are transperently able to extract
SUCH* archive without any problem! Though,currently my
only source of verifying this is via
www.virustotal.com and some others. [Go, TRY IT
THEER!]
http://www.geocities.com/visitbipin/gpbf.zip
> I can see if there is anything
> else that you do not
> think Antigen is doing correctly.
(O;
For instant,
In the 'local file header" & "data descriptor" if you
change the compressed size and uncompressed size to
ZERO[iDEFENSE] or greater than the actual file size or
less than the actual file size still there are many AV
that can't scan the file properly.
http://www.geocities.com/visitbipin/Antigen_b.zip
http://www.geocities.com/visitbipin/Antigen_s.zip
Moreover there are unzip utilities that goes to a loop
if the filesize is changed to ffffffff ! Lets hope, AV
don't have such faulty code!
Just run the file through www.virustotal.com and
you'll see. (I know, they aren't using up-to-date scan
engine)
Thanks,
bipin
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/