lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0407232006590.12722@gandalf.hugo.vanderkooij.org>
Date: Fri, 23 Jul 2004 20:21:22 +0200 (CEST)
From: Hugo van der Kooij <hvdkooij@...derkooij.org>
To: bugtraq@...urityfocus.com
Subject: eSafe: Could this be exploited?


Hi,

I had a bit of a chat with Aladdin support regarding the odd results I had
with their network virusscanner (aka: eSafe). (see also:
http://www.ealaddin.com/esafe/default.asp)

Both as NitroEngine or CVP server they will push as much of 80% to the
end-user before they stop a virus. Then they rely on the adding of the
exact URL so that URL can be blocked in all next requests.

If it is a first time hit you can get as much as 80% of the payload on
your machine and while they may reset the tcp stream at least IE does
store the 80% chunk as if the file was transfered correctly. (This part I
tested with over 30 different virus files.)

First off this is extremely confusing to the user who just thinks (s)he
just had a virus passing their scanner. (And they are about 80% right.)

Then the chunk may contain enough to trigger another scanner which may
reside on the desktop of said user adding further to the belief this is
not a good product.

But what if I were to write a really small harmfull virus (say less then 2
ethernet packets)? Or create it in such way that the last 20 to 25% is
expendible without loosing it's sting?

Is someone able to verify such a virus may work? (I am not a programmer so
I can think of the potential breach but I can't verify it is exploitable.)

I have a felling it is just a matter of time before such a scanner will be
bypassed.

Hugo.

-- 
 All email sent to me is bound to the rules described on my homepage.
    hvdkooij@...derkooij.org		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ