lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20050312075740.11308.qmail@web31503.mail.mud.yahoo.com>
From: visitbipin at yahoo.com (bipin gautam)
Subject: Re: Multiple AV Vendor Incorrect
	CRC32BypassVulnerability.


> While it might be a vulnerability if the file is
> extracted which it hasto be to be executed the 
> desktop scanner will detect it at that time. 
> Multiple layers of defense is your best option 
> As far as number 3 Antigen detects Eicar.

YAP, i never reported Antigen vulnerable to the 3'rd
one.

Though, In Local file header if you modify "general
purpose bit flag" 7th & 8'th byte of a zip archive
with \x2f Antigen is also seem to be vulnerable! While
most unzip utilities are transperently able to extract
SUCH* archive without any problem! Though,currently my
only source of verifying this is via
www.virustotal.com and some others. [Go, TRY IT
THEER!]
http://www.geocities.com/visitbipin/gpbf.zip


> I can see if there is anything
> else that you do not
> think Antigen is doing correctly.

 (O;

For instant,
In the 'local file header" & "data descriptor" if you
change the  compressed size and uncompressed size to
ZERO[iDEFENSE] or greater than the actual file size or
less than the actual file size still there are many AV
that can't scan the file properly. 
http://www.geocities.com/visitbipin/Antigen_b.zip
http://www.geocities.com/visitbipin/Antigen_s.zip

Moreover there are unzip utilities that goes to a loop
if the filesize is changed to ffffffff ! Lets hope, AV
don't have such faulty code!

Just run the file through www.virustotal.com and
you'll see. (I know, they aren't using up-to-date scan
engine)

Thanks,
bipin





		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ