[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning
- To: "Michael J. Pomraning" <mjp-bugtraq@xxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning
- From: "Dr. Peter Bieringer" <pbieringer@xxxxxxxxxx>
- Date: Wed, 16 Mar 2005 10:48:45 +0100
--On Dienstag, 15. März 2005 13:51 -0600 "Michael J. Pomraning"
<mjp-bugtraq@xxxxxxxxxxxxxx> wrote:
$ /usr/local/bin/sweep -ss -archive -all
unfiltered-escape-sequences-in-filename-eicar.zip >>> Virus
'EICAR-AV-Test' found in file
unfiltered-escape-sequences-in-filename-eicar.zip/Test_[2J_[2;5m_[1;31mHA
CKER ATTACK_[2;25m_[22;30m_[3q.txt/eicar_com.zip/eicar.com $ md5sum
unfiltered-escape-sequences-in-filename-eicar.zip
38363004047dc11b206305bd3660d68f
unfiltered-escape-sequences-in-filename-eicar.zip
This is using engine 2.28.4, as in your tests. The consituent filenames
are escaped before being displayed, too (sadly excepting ASCII BEL).
Also not ASCII BS, we've created an additional ZIP file for testing:
Available here:
<ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/mixed2-eicar.zip>
$ unzip -l mixed2-eicar.zip
Archive: mixed2-eicar.zip
Length Date Time Name
-------- ---- ---- ----
308 03-10-05 12:00 eicarcom2.zip^H^H^Htxt
308 03-10-05 12:00 eicarcom2.zip
-------- -------
616
$ /usr/local/bin/sweep -sc -nc -ss -archive -all mixed2-eicar.zip
Virus 'EICAR-AV-Test' found in file
mixed2-eicar.zip/eicarcom2.txt/eicar_com.zip/eicar.com
Virus 'EICAR-AV-Test' found in file
mixed2-eicar.zip/eicarcom2.zip/eicar_com.zip/eicar.com
Note the difference: eicarcom2.txt <-> eicarcom2.zip
Regards,
Peter
--
Dr. Peter Bieringer Phone: +49-8102-895190
AERAsec Network Services and Security GmbH Fax: +49-8102-895199
Wagenberger Strasse 1 Mobile: +49-174-9015046
D-85662 Hohenbrunn E-Mail: pbieringer@xxxxxxxxxx
Germany Internet: http://www.aerasec.de
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/