lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 14 Mar 2005 15:21:18 +0100
From: "Dr. Peter Bieringer" <pbieringer@...asec.de>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Unfiltered escape sequences in filenames
 contained in ZIP archives 
 wouldn't be escaped on displaying or logging, and can also lead to bypass AV
 scanning

Hello,

during investigation of Sober.l we got the idea to replace the spaces of a 
filename contained in the ZIP archive by some escape sequences.

Many AV software is logging such filenames during decompressing, so after 
creating such regular ZIP archive (by using Perl Archive::Zip module, no 
other tweaks!) we've found that some of the tested products do not filter 
or replace the escape sequences, which leads to funny results during 
displaying the output of the AV scanner or viewing the log.

Also we found that at least 2 AV scan programs from 2 vendors do not detect 
the virus inside and report "clean" instead.

See here for more details:

<ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/unfiltered-escape-sequences.txt>
<http://www.aerasec.de/security/index.html?id=ae-200503-020&lang=en>

We provide also samples and the Perl program for creating the samples:
<ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/>


Due lack of time we only tested a few products, so if one can provide 
results of other products, pls. send them (also) to us. Thank you!

Regards,
	Dr. Peter Bieringer
-- 
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Strasse 1                          Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer@...asec.de
Germany                                Internet: http://www.aerasec.de

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ