| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <96BCCB62FB25F746A54214CBA0FB94A801F3A7B5@syb-ny-exc1.net.sybari.com> From: steve_scholz at sybari.com (Steve Scholz) Subject: Re: Multiple AV Vendor IncorrectCRC32BypassVulnerability. Sat Mar 12 10:26:35 2005 (4320-4292), "INFORMATION: Internet scan found virus: Folder: SMTP Messages\Internal Message: test b File: Antigen_b.zip Incident: Large uncompressed size State: Removed" The Antigen_s.zip does not contain a valid Eicar this info when repaired and opened is X5O!P%@AP[4\PZX We did catch it with a file filter. Sat Mar 12 10:32:29 2005 (4320-4292), "INFORMATION: Internet scan found virus: Folder: SMTP Messages\Internal Message: Fw: test File: Antigen_s.zip->eicar.com Incident: FILE FILTER= *.com State: Removed" What was your intent with these files? Steve Scholz Corporate Sales Engineer-North America Sybari Software, Inc. 631-630-8556 Direct 516-903-2464 Mobile Email: Steve_scholz@...ari.com MSN IM:Steve_Scholz@....com (email never checked) -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of bipin gautam Sent: Saturday, March 12, 2005 2:58 AM To: Steve Scholz; vuln@...unia.com Cc: full-disclosure@...ts.grok.org.uk; vuldb@...urityfocus.com Subject: RE: [Full-disclosure] Re: Multiple AV Vendor IncorrectCRC32BypassVulnerability. > While it might be a vulnerability if the file is > extracted which it hasto be to be executed the > desktop scanner will detect it at that time. > Multiple layers of defense is your best option > As far as number 3 Antigen detects Eicar. YAP, i never reported Antigen vulnerable to the 3'rd one. Though, In Local file header if you modify "general purpose bit flag" 7th & 8'th byte of a zip archive with \x2f Antigen is also seem to be vulnerable! While most unzip utilities are transperently able to extract SUCH* archive without any problem! Though,currently my only source of verifying this is via www.virustotal.com and some others. [Go, TRY IT THEER!] http://www.geocities.com/visitbipin/gpbf.zip > I can see if there is anything > else that you do not > think Antigen is doing correctly. (O; For instant, In the 'local file header" & "data descriptor" if you change the compressed size and uncompressed size to ZERO[iDEFENSE] or greater than the actual file size or less than the actual file size still there are many AV that can't scan the file properly. http://www.geocities.com/visitbipin/Antigen_b.zip http://www.geocities.com/visitbipin/Antigen_s.zip Moreover there are unzip utilities that goes to a loop if the filesize is changed to ffffffff ! Lets hope, AV don't have such faulty code! Just run the file through www.virustotal.com and you'll see. (I know, they aren't using up-to-date scan engine) Thanks, bipin __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Powered by blists - more mailing lists