lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050315164324.48286.qmail@web31503.mail.mud.yahoo.com>
Date: Tue, 15 Mar 2005 08:43:24 -0800 (PST)
From: bipin gautam <visitbipin@...oo.com>
To: "Dr. Peter Bieringer" <pbieringer@...asec.de>,
	full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Re: Unfiltered escape sequences in filenames
	contained in ZIP archives wouldn't be escaped on displaying or
	logging, and can also lead to bypass AV scanning



Dr. Peter,
My rants regarding similar issue dates back, Mar 05,
2004. There was some other issues in NAV product that
i tried contacting SYMANTEC in 2003 (i guess).
Symantec, discarded this issue.
http://www.securityfocus.com/archive/1/357065

So did they to latest advisory!!!

http://www.geocities.com/visitbipin/nav_bugs.html
 http://www.securityfocus.com/bid/9811
http://www.geocities.com/visitbipin/test_nav.zip

the exe file in there will create the POC. In there
you will find a file name called, "eicar_com &#9835;
.&#9786;&#9787;&#9829;&#9830;&#9827;&#9824;�&#9688;
�&#8596;&#9650;� .com .zip" I STIL FIND IT strange to
see there are "lot of AV" out there that cant scan
such file properly to detect virus. I tested mine OLD
POC with NAV 2004 professional edition. And, found ANV
2004 is still vulnerable!!!!! not only 2002 late back
then.  

Such issue discourage you away from responsible
disclosure/vendor notification etc. AND symantec is
the 1 and only cause for me, thats pushes me away from
responsible disclosure.

INDEED since then IT has been always FUN TO KICK THEIR
BALLS AND POKE THEIR BABY, time and again......

i guess, companies should know learn how to treat ppl.
who write to them. For this, i've always admired
Microsoft.   (O;   (no flames)

-bipin
 
--- bipin gautam <visitbipin@...oo.com> wrote:

> NICE FIND. (O;
> 
> But hey, That something quite similar to my old
> advisory
> :http://www.securityfocus.com/bid/9811/discussion/
> 
> Norton AntiVirus 2002 ASCII Control Character Denial
> Of Service Vulnerability
> 
> Norton AntiVirus 2002 has been reported to crash
> when
> performing manual scans on files contained in
> certain
> folders. This is related to how the software handles
> ASCII control characters (represented by decimal
> values in the range of 1-31).
> 
> Although unconfirmed this issue may allow a
> malicious
> file to go un-scanned, and so lead a user into a
> false
> sense of security.
> 
> -bipin



--- "Dr. Peter Bieringer" <pbieringer@...asec.de>
wrote:
> Hello,
> 
> during investigation of Sober.l we got the idea to
> replace the spaces of a 
> filename contained in the ZIP archive by some escape
> sequences.
> 
> Many AV software is logging such filenames during
> decompressing, so after 
> creating such regular ZIP archive (by using Perl
> Archive::Zip module, no 
> other tweaks!) we've found that some of the tested
> products do not filter 
> or replace the escape sequences, which leads to
> funny results during 
> displaying the output of the AV scanner or viewing
> the log.
> 
> Also we found that at least 2 AV scan programs from
> 2 vendors do not detect 
> the virus inside and report "clean" instead.
> 
> See here for more details:
> 
>
<ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/unfiltered-escape-sequences.txt>
>
<http://www.aerasec.de/security/index.html?id=ae-200503-020&lang=en>
> 
> We provide also samples and the Perl program for
> creating the samples:
>
<ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/>
> 
> 
> Due lack of time we only tested a few products, so
> if one can provide 
> results of other products, pls. send them (also) to
> us. Thank you!
> 
> Regards,
> 	Dr. Peter Bieringer
> -- 


		
__________________________________ 
Do you Yahoo!? 
Make Yahoo! your home page 
http://www.yahoo.com/r/hs
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ