lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: visitbipin at yahoo.com (bipin gautam)
Subject: Norton AntiVirus Scanner Remote Denial Of ServiceVulnerability [Part: !!!]

there was a mistake while uploading the file, Now the
link is fixed!!!


well, while scannng this archive NAV consumes 56MB of
memory..... crafting a bigger archive may consume more
memory!!!

ps: the archive is not password protected, under
certain condition some unzip utility... thinks a
archive is password protected even while the archive
isn't.  
------------
bipin gautam


--- "Peter B. Harvey (Information Security)"
<peterharvey@...rgency.qld.gov.au> wrote:
> 
> Could you please password protect it and email it to
> me. Ill test on Trend Micro.
> 
> Peter
> 
> -----Original Message-----
> From: bipin gautam [mailto:visitbipin@...oo.com]
> Sent: Friday, July 09, 2004 10:40 AM
> To: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] Norton AntiVirus Scanner
> Remote Denial Of
> ServiceVulnerability [Part: !!!]
> 
> 
> Anti-Virus Scanner Remote Denial Of Service
> Vulnerability [Part: !!!]
> 
> *vulnerable [...only tested on!]
> 
> Symantec Norton AntiVirus 2003 Professional Edition
> Symantec Norton AntiVirus 2002
> 
> *not vulnerable
> Mcafee 7*
> Mcafee 8*
> 
> Risk Impact: Medium
> Remote: yes
> 
> Description:
> While having a virus scan [automatic/manual] of some
> specially crafted compressed files; NAV triggers a
> DoS
> using 100% CPU for a very long time. Morover, NAV is
> unable to stop the scan in middle, even if the user
> wishes to manually stop the virus scan. Then, in
> this
> situation the only alternate is to kill the process.
> --- [Proof of Concept] ---
> Please download this file.
> 
>  http://www.geocities.com/visitbipin/av_bomb_3.zip  
> 
>     <---  For symantec.
> 
> 
> http://www.geocities.com/visitbipin/EXTRACTit1st.zip
>     <--- A bzip2 file, test it on other AV products,
> too.
> 
> The file contains, 'EICAR Test String' burried in
> 49647 directories. This is just a RAW 'proof of
> concept'. A few 100kb's of compressed file could be
> crafted in a way... NAV will take hours or MIGHT
> even
> days to complete the scan causing 100% cup use in
> email gateways for hours. The compressed archive
> must
> not necessarily be a '.zip' to trigger this attack.
> 
> I've decided not to contact SYMANTEC in any of my
> advisories since their "security responce team" is
> too
> slow to responce any reported incidence.  PLEASE:
> ...test this issue with other AV / trojan scanners
> as
> they might also be vulnerable.
> 
> -----------
> Bipin Gautam
> http://www.geocities.com/visitbipin/
> 
> Disclaimer: The information in the advisory is
> believed to be accurate at the time of printing
> based
> on currently available information. Use of the
> information constitutes acceptance for use in an AS
> IS
> condition. There are no warranties with regard to
> this
> information. Neither the author nor the publisher
> accepts any liability for any direct, indirect or
> consequential loss or damage arising from use of, or
> reliance on this information.
> 
> 
> 	
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail is new and improved - Check it out!
> http://promotions.yahoo.com/new_mail
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html
> 
> This correspondence is for the named persons only.
> It may contain confidential or privileged
> information or both.
> No confidentiality or privilege is waived or lost by
> any mis transmission.
> If you receive this correspondence in error please
> delete it from your system immediately and notify
> the sender.
> You must not disclose, copy or relay on any part of
> this correspondence, if you are not the intended
> recipient.
> Any opinions expressed in this message are those of
> the individual sender except where the sender
> expressly,
> and with the authority, states them to be the
> opinions of the Department of Emergency Services,
> Queensland.
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ