[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning
- To: "Dr. Peter Bieringer" <pbieringer@xxxxxxxxxx>
- Subject: [Full-disclosure] Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning
- From: "Michael J. Pomraning" <mjp-bugtraq@xxxxxxxxxxxxxx>
- Date: Tue, 15 Mar 2005 13:51:55 -0600 (CST)
On Mon, 14 Mar 2005, Dr. Peter Bieringer wrote:
> during investigation of Sober.l we got the idea to replace the spaces of a
> filename contained in the ZIP archive by some escape sequences.
>
[...]
>
> Also we found that at least 2 AV scan programs from 2 vendors do not detect
> the virus inside and report "clean" instead.
I think Sophos passes the test. I find that the underlying API (as exposed
by a python wrapper) is able to detect the viruses in all cases. For the
command line "sweep" utility, try adding the "-all" switch to your
invocation:
$ /usr/local/bin/sweep -ss -archive -all
unfiltered-escape-sequences-in-filename-eicar.zip
>>> Virus 'EICAR-AV-Test' found in file
unfiltered-escape-sequences-in-filename-eicar.zip/Test_[2J_[2;5m_[1;31mHACKER
ATTACK_[2;25m_[22;30m_[3q.txt/eicar_com.zip/eicar.com
$ md5sum unfiltered-escape-sequences-in-filename-eicar.zip
38363004047dc11b206305bd3660d68f
unfiltered-escape-sequences-in-filename-eicar.zip
This is using engine 2.28.4, as in your tests. The consituent filenames are
escaped before being displayed, too (sadly excepting ASCII BEL).
Regards,
Mike
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/