lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 17 Mar 2005 12:06:18 +0100
From: Tomasz Papszun <tomek-bug@...z.tpsa.pl>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: Unfiltered escape sequences in filenames
	contained in ZIP archives wouldn't be escaped on displaying or
	logging, and can also lead to bypass AV scanning


On Tue, 15 Mar 2005 at 22:07:06 -0300, Rodrigo Barbosa wrote:
> On Tue, Mar 15, 2005 at 09:06:05PM +0000, Nigel Horne wrote:
> > > > # unzip -l mixed-eicar.zip
> > > > Archive:  mixed-eicar.zip
> > > >  Length     Date   Time    Name
> > > > --------    ----   ----    ----
> > > >      308  03-10-05 12:00   Test^G^[[2J^[[2;5m^[[1;31mHACKER
> > > > ATTACK^[[2;25m^[[22;30m^[[3q.txt
> > > >      308  03-10-05 12:00   eicarcom2.zip
> > > > --------                   -------
> > > >      616                   2 files
> > > 
> > > F-Prot seems to detect it correctly:
> > 
> > As does clamAV:
> > [njh@njh tmp]$ clamscan mixed-eicar.zip
> > mixed-eicar.zip: Eicar-Test-Signature FOUND
> > 
> > Scanned files: 1
> > Infected files: 1
> 
> Actually, no. There were 2 infected files in there. ClamAV only found 1.
> 
> - -- 
> Rodrigo Barbosa <rodrigob@...spammers.org>

It's a feature. It's documented, e.g.:
http://www.clamav.net/doc/latest/html/node28.html

  "In case of archives the scanner depends on libclamav
   and only prints the first virus found within an archive".

Scanning the rest of files in the archive when it's already known that
it contains at least one infected file is usually just waste of
resources. Of course it's possible to force clamscan to do it, but it's
not a default way. See the URL above.

Also, the number shown in "Scanned files:" means the number of files
scanned directly (in this example: the archive itself), not the number
of files present inside the archive. 

As a proof that ClamAV successfully detects the Eicar signature in
zipped file with escape sequences in the filename, you can delete the
eicarcom2.zip from the archive and scan the archive again:

$ unzip -l mixed-eicar.zip
Archive:  mixed-eicar.zip
  Length     Date   Time    Name
 --------    ----   ----    ----
      308  03-10-05 12:00   Test^G^[[2J^[[2;5m^[[1;31mHACKER
ATTACK^[[2;25m^[[22;30m^[[3q.txt
 --------                   -------
      308                   1 file

$ clamscan mixed-eicar.zip
mixed-eicar.zip: Eicar-Test-Signature FOUND

P.S.
I'm not subscribed to full-disclosure, so please Cc: me in case the
thread continues on full-disclosure.

-- 
 Tomasz Papszun    SysAdm @ TP S.A. Lodz, Poland    | And it's only
 tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
 tomek at clamav.net   http://www.ClamAV.net/   A GPL virus scanner
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ