[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning
- To: "Dr. Peter Bieringer" <pbieringer@xxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning
- From: bipin gautam <visitbipin@xxxxxxxxx>
- Date: Tue, 15 Mar 2005 08:34:32 -0800 (PST)
Dr. Peter,
My rants regarding similar issue dates back, Mar 05,
2004. There was some other issues in NAV product that
i tried contacting SYMANTEC in 2003 (i guess).
Symantec, discarded this issue.
http://www.securityfocus.com/archive/1/357065
So did they in to latest advisory!!!
http://www.geocities.com/visitbipin/nav_bugs.html
http://www.securityfocus.com/bid/9811
http://www.geocities.com/visitbipin/test_nav.zip
the exe file in there will create the POC. In there
you will find a file name called, "eicar_com ♫
.☺☻♥♦♣♠?◘
?↔▲§ .com .zip" I STIL FIND IT happy to
see there are lot of AV out there that cant scan such
file properly to detect virus. One great thing is I
tested mine
--- bipin gautam <visitbipin@xxxxxxxxx> wrote:
> NICE FIND. (O;
>
> But hey, That something quite similar to my old
> advisory
> :http://www.securityfocus.com/bid/9811/discussion/
>
> Norton AntiVirus 2002 ASCII Control Character Denial
> Of Service Vulnerability
>
> Norton AntiVirus 2002 has been reported to crash
> when
> performing manual scans on files contained in
> certain
> folders. This is related to how the software handles
> ASCII control characters (represented by decimal
> values in the range of 1-31).
>
> Although unconfirmed this issue may allow a
> malicious
> file to go un-scanned, and so lead a user into a
> false
> sense of security.
>
> -bipin
--- "Dr. Peter Bieringer" <pbieringer@xxxxxxxxxx>
wrote:
> Hello,
>
> during investigation of Sober.l we got the idea to
> replace the spaces of a
> filename contained in the ZIP archive by some escape
> sequences.
>
> Many AV software is logging such filenames during
> decompressing, so after
> creating such regular ZIP archive (by using Perl
> Archive::Zip module, no
> other tweaks!) we've found that some of the tested
> products do not filter
> or replace the escape sequences, which leads to
> funny results during
> displaying the output of the AV scanner or viewing
> the log.
>
> Also we found that at least 2 AV scan programs from
> 2 vendors do not detect
> the virus inside and report "clean" instead.
>
> See here for more details:
>
>
<ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/unfiltered-escape-sequences.txt>
>
<http://www.aerasec.de/security/index.html?id=ae-200503-020&lang=en>
>
> We provide also samples and the Perl program for
> creating the samples:
>
<ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/>
>
>
> Due lack of time we only tested a few products, so
> if one can provide
> results of other products, pls. send them (also) to
> us. Thank you!
>
> Regards,
> Dr. Peter Bieringer
> --
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/