lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.61.0503151337140.14200@workstation3.wi.securepipe.com>
Date: Tue, 15 Mar 2005 13:51:55 -0600 (CST)
From: "Michael J. Pomraning" <mjp-bugtraq@...urepipe.com>
To: "Dr. Peter Bieringer" <pbieringer@...asec.de>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Unfiltered escape sequences in filenames
 contained in ZIP archives
 wouldn't be escaped on displaying or logging, and can also lead to bypass
 AV scanning


On Mon, 14 Mar 2005, Dr. Peter Bieringer wrote:

> during investigation of Sober.l we got the idea to replace the spaces of a
> filename contained in the ZIP archive by some escape sequences.
> 
[...]
> 
> Also we found that at least 2 AV scan programs from 2 vendors do not detect
> the virus inside and report "clean" instead.

I think Sophos passes the test.  I find that the underlying API (as exposed
by a python wrapper) is able to detect the viruses in all cases.  For the
command line "sweep" utility, try adding the "-all" switch to your
invocation:

   $ /usr/local/bin/sweep -ss -archive -all unfiltered-escape-sequences-in-filename-eicar.zip 
   >>> Virus 'EICAR-AV-Test' found in file unfiltered-escape-sequences-in-filename-eicar.zip/Test_[2J_[2;5m_[1;31mHACKER ATTACK_[2;25m_[22;30m_[3q.txt/eicar_com.zip/eicar.com
   $ md5sum unfiltered-escape-sequences-in-filename-eicar.zip 
   38363004047dc11b206305bd3660d68f unfiltered-escape-sequences-in-filename-eicar.zip

This is using engine 2.28.4, as in your tests.  The consituent filenames are
escaped before being displayed, too (sadly excepting ASCII BEL).

Regards,
Mike
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ