| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050312023242.17864.qmail@web31512.mail.mud.yahoo.com> From: visitbipin at yahoo.com (bipin gautam) Subject: Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability. 1'st issue: Could anyone verify the existance of both vulnebrility in *Symantec products* cauz it seems like symantec engineers got the *old* broken file that i reported lately and couldn't reproduce the thing. I tried reporting the issue but the message had a broken eicarta string so i think the message wasn't deliverd! I uploaded a wrong file before and the same old file kept on comming from the servers cache. I was able to transperently extract the broken CRC archive using Download accelerator Plus(5.3) with just a warning message. 2'nd issue: NOP, the zip file wasn't "ACTUALLY" encrypted. Nor, anything else in the archive was modified! The archive can be normally be extracted by any unzip utility. I did tested it with winrar 3.2 & with default zip manager of winxp (sp2). 3'rd issue(NEW): Well, tested with F-prot, DrWeb, *Symantec 8.0 long ago... lately verified it using virustotal.com If you have a long archive coment... in a zip archive these AV can't detect virus embedded in it. though a frend of mine reported me symantec 8.1 is immune to the bug. POC: http://www.geocities.com/visitbipin/long_coment.zip --- Randall M <randallm@...mail.com> wrote: > I scanned the file with McAfee 8.0i and it end up > stating that it couldn't > scan the EICAR.COM file because it was encrypted. > Was this your > Intention? > > ------------------------------ --- Steve Scholz <steve_scholz@...ari.com> wrote: > You are correct by doing this you are marking the > zip file as encrypted. > > Your option at this time is to turn on the feature > delete encrypted > compressed files. > > Steve Scholz > Corporate Sales Engineer-North America > Sybari Software, Inc. > 631-630-8556 Direct > 516-903-2464 Mobile > > Email: Steve_scholz@...ari.com > > -----Original Message----- > From: full-disclosure-bounces@...ts.grok.org.uk > Subject: [Full-disclosure] Re: Multiple AV Vendor > Incorrect CRC32 > BypassVulnerability. > > In Local file header if you modify "general purpose > bit flag" 7th & 8'th byte of a zip archive with \x2f > ie: "\" F-port, Kaspersky, Mcafee, Norman, Sybari, > Symantec seem to skip the file marking it as > clean!!! > This was discoverd during the analysis of "Multiple > AV > Vendor Incorrect CRC32 Bypass Vulnerability." > > Quick/rough conclusion were drawn using > www.virustotal.com > > poc: http://www.geocities.com/visitbipin/gpbf.zip > > regards, > bipin gautam __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/
Powered by blists - more mailing lists