| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050312001936.9D3935CD0C@lists.grok.org.uk> From: randallm at fidmail.com (Randall M) Subject: Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability. I scanned the file with McAfee 8.0i and it end up stating that it couldn't scan the EICAR.COM file because it was encrypted. Was this your Intention? ------------------------------ Message: 16 Date: Fri, 11 Mar 2005 07:55:28 -0800 (PST) From: bipin gautam <visitbipin@...oo.com> Subject: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. To: full-disclosure@...ts.grok.org.uk Cc: vuln@...unia.com Message-ID: <20050311155528.91205.qmail@...31511.mail.mud.yahoo.com> Content-Type: text/plain; charset=us-ascii In Local file header if you modify "general purpose bit flag" 7th & 8'th byte of a zip archive with \x2f ie: "\" F-port, Kaspersky, Mcafee, Norman, Sybari, Symantec seem to skip the file marking it as clean!!! This was discoverd during the analysis of "Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability." Quick/rough conclusion were drawn using www.virustotal.com poc: http://www.geocities.com/visitbipin/gpbf.zip regards, bipin gautam ..................................... RandallM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050311/3d569b51/attachment.html
Powered by blists - more mailing lists