[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <2A1F79D25E4EBF15210B832B@[10.3.62.6]>
From: pbieringer at aerasec.de (Dr. Peter Bieringer)
Subject: Unfiltered escape sequences in filenames
contained in ZIP archives
wouldn't be escaped on displaying or logging, and can also lead to bypass AV
scanning
Hello,
during investigation of Sober.l we got the idea to replace the spaces of a
filename contained in the ZIP archive by some escape sequences.
Many AV software is logging such filenames during decompressing, so after
creating such regular ZIP archive (by using Perl Archive::Zip module, no
other tweaks!) we've found that some of the tested products do not filter
or replace the escape sequences, which leads to funny results during
displaying the output of the AV scanner or viewing the log.
Also we found that at least 2 AV scan programs from 2 vendors do not detect
the virus inside and report "clean" instead.
See here for more details:
<ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/unfiltered-escape-sequences.txt>
<http://www.aerasec.de/security/index.html?id=ae-200503-020&lang=en>
We provide also samples and the Perl program for creating the samples:
<ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/>
Due lack of time we only tested a few products, so if one can provide
results of other products, pls. send them (also) to us. Thank you!
Regards,
Dr. Peter Bieringer
--
Dr. Peter Bieringer Phone: +49-8102-895190
AERAsec Network Services and Security GmbH Fax: +49-8102-895199
Wagenberger Strasse 1 Mobile: +49-174-9015046
D-85662 Hohenbrunn E-Mail: pbieringer@...asec.de
Germany Internet: http://www.aerasec.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050314/449db570/attachment.bin
Powered by blists - more mailing lists