[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2C4E0A87C4F1514E86629F9972656E394235E7@cads1.CADesign.dk>
Date: Tue, 15 Jun 2004 10:10:36 +0200
From: "Bo Rasmussen" <brr@...esign.dk>
To: <bugtraq@...urityfocus.com>
Subject: RE: Multiple Antivirus Scanners DoS attack.
Hi,
Just tried with clamscan and clamdscan v.0.71 on a OpenBSD 3.5, with
these signatures:
ClamAV update process started at Tue Jun 15 09:13:49 2004
main.cvd is up to date (version: 23, sigs: 21096, f-level: 2, builder:
ddm)
daily.cvd updated (version: 357, sigs: 866, f-level: 2, builder:
ccordes)
Database updated (21962 signatures) from database.clamav.net
(152.66.249.132).
mail# clamscan SERVER_dwn.zip
SERVER_dwn.zip: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 21962
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 20.13 MB
I/O buffer size: 131072 bytes
Time: 9.006 sec (0 m 9 s)
mail#
mail# clamdscan SERVER_dwn.zip
/var/amavis/SERVER_dwn.zip: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 8.053 sec (0 m 8 s)
mail#
No problems whatsoever.
Regards
Bo Rising Rasmussen
it/security consultant
brr@...esign.dk
> -----Original Message-----
> From: bipin gautam [mailto:visitbipin@...mail.com]
> Sent: Monday, June 14, 2004 4:39 PM
> To: cert@...t.org; bugtraq@...urityfocus.com
> Cc: wk@....org; vulndiscuss@...nwatch.org;
> vulndiscuss-owner@...nwatch.org
> Subject: Multiple Antivirus Scanners DoS attack.
>
> Multiple Antivirus Scanners DoS attack.
>
> --- [Vulnerable Products] ---
> Only tested on...
>
> * Norton Antivirus 2002
> * Norton Antivirus 2003
> * Mcafee VirusScan 6
> * Network Associates (McAfee) VirusScan Enterprise 7.1
> * Windows Xp default ZIP manager [report's wrong size of
> compress ZIP files.]
>
> There has been multiple reports [Unconfirmed] *F-Prot 4.4.2
> for Linux *Panda Antivirus
>
> Are vulnerable.
>
>
> Risk Impact: Medium
>
> --- [Details] ---
>
> While having a manual scan of compressed files; several
> Antivirus, Trojan, Spy ware scanners suffer a DoS attack if
> the software tries to completely extract the archive and scan
> its content for a hostile file.
>
> --- [Proof of Concept] ---
> Please download this file.
> http://www.geocities.com/visitbipin/SERVER_dwn.zip
>
> Moreover it's not safe to set automatically
> 'Quarantine/delete' option set for your AV scanner as it may
> try to Quarantine the virus by extracting the archive.
>
> -----------
> Bipin Gautam
> http://www.geocities.com/visitbipin/
>
> Disclaimer: The information in the advisory is believed to be
> accurate at the time of printing based on currently available
> information. Use of the information constitutes acceptance
> for use in an AS IS condition. There are no warranties with
> regard to this information. Neither the author nor the
> publisher accepts any liability for any direct, indirect or
> consequential loss or damage arising from use of, or reliance
> on this information.
>
> _________________________________________________________________
> It's fast, it's easy and it's free. Get MSN Messenger today!
> http://www.msn.co.uk/messenger
>
>
Powered by blists - more mailing lists