[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] NUL Character Evasion
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] NUL Character Evasion
- From: "Williams, James K" <James.Williams@xxxxxx>
- Date: Fri, 16 Sep 2005 12:05:05 -0400
> List: full-disclosure
> Subject: Re: [Full-disclosure] NUL Character Evasion
> From: fd () ew ! nsci ! us
> Date: 2005-09-15 19:57:30
>
> > > On Thu, 15 Sep 2005, Williams, James K wrote:
> > > List: full-disclosure
> > > Subject: [Full-disclosure] NUL Character Evasion
> > > From: ju () heisec ! de
> > > Date: 2005-09-13 21:24:42
> >
> > Thank you for the report. Computer Associates is currently
> > investigating the issue (as it relates to CA products).
> >
> > Regards,
> > kw
>
> Ken,
>
> How long until this update hits your product?
>
> -Eric
>
> --
> Eric Wheeler
As initially suspected, from the AV signature perspective, this
is not a critical issue until and unless something specific
shows up in the wild or is reported to a vendor. The NUL char
insertion concept is similar in theory to, for example, K2's
classic ADMmutate[1] polymorphic shellcode engine for NIDS
evasion, or simply adding NOPs to an executable. Alex and
Neel[2] discussed this class of AV vulns at core05 and Blackhat.
Regards,
kw
[1] http://www.ktwo.ca/security.html
[2] http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-wheeler.pdf
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/