lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <41016BD7.2080400@greyhat.de>
Date: Fri, 23 Jul 2004 21:49:43 +0200
From: "Oliver@...yhat.de" <Oliver@...yhat.de>
To: Hugo van der Kooij <hvdkooij@...derkooij.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: eSafe: Could this be exploited?


Hugo van der Kooij wrote:

>Hi,
>
>I had a bit of a chat with Aladdin support regarding the odd results I had
>with their network virusscanner (aka: eSafe). (see also:
>http://www.ealaddin.com/esafe/default.asp)
>
>Both as NitroEngine or CVP server they will push as much of 80% to the
>end-user before they stop a virus. Then they rely on the adding of the
>exact URL so that URL can be blocked in all next requests.
>
>If it is a first time hit you can get as much as 80% of the payload on
>your machine and while they may reset the tcp stream at least IE does
>store the 80% chunk as if the file was transfered correctly. (This part I
>tested with over 30 different virus files.)
>
>First off this is extremely confusing to the user who just thinks (s)he
>just had a virus passing their scanner. (And they are about 80% right.)
>
>Then the chunk may contain enough to trigger another scanner which may
>reside on the desktop of said user adding further to the belief this is
>not a good product.
>
>But what if I were to write a really small harmfull virus (say less then 2
>ethernet packets)? Or create it in such way that the last 20 to 25% is
>expendible without loosing it's sting?
>
>Is someone able to verify such a virus may work? (I am not a programmer so
>I can think of the potential breach but I can't verify it is exploitable.)
>
>I have a felling it is just a matter of time before such a scanner will be
>bypassed.
>
>Hugo.
>
>  
>
Hi, i saw this "feature" already on other vendors AV-proxes, where this 
80% thing is a side effect of http-comforting of the proxy-software.
Comforting is, that the http-client is not running into an timeout.
I think it is possible to generate an exefile, and attach some random 
data. Whereby the exe file is about 80% and the random data 20%.
And also i think, the problem is, that the AV does not exactly stop at 
80%. So you have to generate multiple "infected" files with 80/20, 
81/19, 82/18 and so on.
In Addition  you have to test if for example a scripting host file or a 
binary is still executable, if the last
few bytes at the end are garbage. AFAIK does the PE-header on windows 
.exe files also include a checksum/lof of the file..... if i remember 
right, this checksum is not utilizised by
Win95/Win98, but by W2K/NT- Windows OS. So, there are many circumstances 
to take care for, but i think it is possible in some cases..... lets try 
it :)

ok, just some ideas late at night.... :)






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ