lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <77372878.20090507105512@Zoller.lu>
Date: Thu, 7 May 2009 10:55:12 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: NTBUGTRAQ <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>,
	bugtraq <bugtraq@...urityfocus.com>,
	full-disclosure <full-disclosure@...ts.grok.org.uk>,
	<info@...cl.etat.lu>, <vuln@...unia.com>, <cert@...t.org>,
	<nvd@...t.gov>, <cve@...re.org>
Subject: Update: [TZO-15-2009] Aladdin eSafe generic bypass - Forced release



Update:
Aladdin responded and posted a blog post, please read the timeline and
then the blog post.
http://www.aladdin.com/AircBlog/post/2009/05/Archive-Bypass-Issue-and-eSafe.aspx

It is said that :
-----------------
"This means that in case a customer receives such a specially crafted
archive file, he will not be able to extract it."

This is wrong. Winrar for example extracts the PoC files fine.

"We have acted on the issue after two days since its first coming
into view."
Please see the timeline below and draw your conclusions

"The  eSafe  products affected by this vulnerability are 7.1, 7.0, and
6."
I  was  not communicated this information and had to find a referer in
my log files in order to know.


Full update to be published after more discussions...

-------------

IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
04/04/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date. There is
             no security adress listed at [1] and hence took previously
             known security contacts that are known to exist.
                         
                         No reply.
                         
13/04/2009 : Resending. Copied security@...ddin.de, security@...ddin.com
             secure@...ddin.com, secure@...ddin.de,support@...ddin.com,
             support@...ddin.de in CC.
                         
             No reply.
                         
16/04/2009 : Resending specifying this is the last attempt to disclose
             reponsibly.
                                                
             No reply.
                         
18/04/2009 : Online virus scan service offered to gap the bridge between
             vendors that don't reply and myself. Aladin was contacted 
             through third party.

             No reaction

19/04/2009 : Aladdin visited the blog entry that explains the bypasses
             and impacts. http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html 
                         
             No reaction
                         
27/04/2009 : Release of this limited advisory.                   


[1] http://osvdb.org/vendor/1/Aladdin%20Knowledge%20Systems


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ