lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20050315172916.GQ1645@suespammers.org>
Date: Tue, 15 Mar 2005 14:29:16 -0300
From: Rodrigo Barbosa <rodrigob@...spammers.org>
To: "Dr. Peter Bieringer" <pbieringer@...asec.de>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Unfiltered escape sequences in filenames
	contained in ZIP archives wouldn't be escaped on displaying or
	logging, and can also lead to bypass AV scanning


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Mar 15, 2005 at 05:45:58PM +0100, Dr. Peter Bieringer wrote:
> >I STIL FIND IT happy to
> >see there are lot of AV out there that cant scan such
> >file properly to detect virus.
> 
> The problem must be located in the unzip engine:
> 
> We've created a mixed ZIP now:
> 
> # unzip -l mixed-eicar.zip
> Archive:  mixed-eicar.zip
>  Length     Date   Time    Name
> --------    ----   ----    ----
>      308  03-10-05 12:00   Test^G^[[2J^[[2;5m^[[1;31mHACKER 
> ATTACK^[[2;25m^[[22;30m^[[3q.txt
>      308  03-10-05 12:00   eicarcom2.zip
> --------                   -------
>      616                   2 files
> 
> 
> BTW: note here that "unzip" displays the escape sequences very proper!
> 
> Available here:
> <ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/mixed-eicar.zip>
> 
> Some AV software detect the virus only in second part of the ZIP file, so 
> it looks like the first one is really skipped and not analysed.

F-Prot seems to detect it correctly:

VIRUS SIGNATURE FILES
SIGN.DEF created 13 March 2005
SIGN2.DEF created 13 March 2005
MACRO.DEF created 11 March 2005

Search: mixed-eicar.zip
Action: Report only
Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED -SERVER

/home/rodrigob/tmp/mixed-eicar.zip->Test^G^[[2J^[[2;5m^[[1;31mHACKER ATTACK^[[2;25m^[[22;30m^[[3q.txt->eicar_c->eicar.com  Infection: EICAR_Test_File
/home/rodrigob/tmp/mixed-eicar.zip->eicarcom2.zip->eicar_com.zip->eicar.com  Infection: EICAR_Test_File

Results of virus scanning:

Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 7
Infected: 2
Suspicious: 0
Disinfected: 0
Deleted: 0
Renamed: 0

Time: 0:00

- -- 
Rodrigo Barbosa <rodrigob@...spammers.org>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCNxtspdyWzQ5b5ckRApEcAKCHZTlzib/lH7LUjpL/FqEOtSsyegCfbW1a
BSjnssdy4iIBXZyEcv/JF1Q=
=M4rV
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ