lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <96BCCB62FB25F746A54214CBA0FB94A801F3A76E@syb-ny-exc1.net.sybari.com>
From: steve_scholz at sybari.com (Steve Scholz)
Subject: Re: Multiple AV Vendor Incorrect CRC32
	BypassVulnerability.

You are correct by doing this you are marking the zip file as encrypted.

Your option at this time is to turn on the feature delete encrypted
compressed files.

Fri Mar 11 17:59:02 2005 (4320-4292), "INFORMATION: Internet scan found
virus:

   Folder: SMTP Messages\Internal

   Message: test

   File: gpbf.zip

   Incident: EncryptedCompressedFile

   State: Removed"


Steve Scholz
Corporate Sales Engineer-North America
Sybari Software, Inc.
631-630-8556 Direct
516-903-2464 Mobile

Email:  Steve_scholz@...ari.com

MSN IM:Steve_Scholz@....com (email never checked) 





-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of bipin
gautam
Sent: Friday, March 11, 2005 10:55 AM
To: full-disclosure@...ts.grok.org.uk
Cc: vuln@...unia.com
Subject: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32
BypassVulnerability.

In Local file header if you modify "general purpose
bit flag" 7th & 8'th byte of a zip archive with \x2f
ie: "\" F-port, Kaspersky, Mcafee, Norman, Sybari,
Symantec seem to skip the file marking it as clean!!!
This was discoverd during the analysis of "Multiple AV
Vendor Incorrect CRC32 Bypass Vulnerability."

Quick/rough conclusion were drawn using
www.virustotal.com

poc: http://www.geocities.com/visitbipin/gpbf.zip

regards,
bipin gautam





		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ