[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20050317110618.GF13139@lodz.tpsa.pl>
From: tomek-bug at lodz.tpsa.pl (Tomasz Papszun)
Subject: Unfiltered escape sequences in filenames
contained in ZIP archives wouldn't be escaped on displaying or
logging, and can also lead to bypass AV scanning
On Tue, 15 Mar 2005 at 22:07:06 -0300, Rodrigo Barbosa wrote:
> On Tue, Mar 15, 2005 at 09:06:05PM +0000, Nigel Horne wrote:
> > > > # unzip -l mixed-eicar.zip
> > > > Archive: mixed-eicar.zip
> > > > Length Date Time Name
> > > > -------- ---- ---- ----
> > > > 308 03-10-05 12:00 Test^G^[[2J^[[2;5m^[[1;31mHACKER
> > > > ATTACK^[[2;25m^[[22;30m^[[3q.txt
> > > > 308 03-10-05 12:00 eicarcom2.zip
> > > > -------- -------
> > > > 616 2 files
> > >
> > > F-Prot seems to detect it correctly:
> >
> > As does clamAV:
> > [njh@njh tmp]$ clamscan mixed-eicar.zip
> > mixed-eicar.zip: Eicar-Test-Signature FOUND
> >
> > Scanned files: 1
> > Infected files: 1
>
> Actually, no. There were 2 infected files in there. ClamAV only found 1.
>
> - --
> Rodrigo Barbosa <rodrigob@...spammers.org>
It's a feature. It's documented, e.g.:
http://www.clamav.net/doc/latest/html/node28.html
"In case of archives the scanner depends on libclamav
and only prints the first virus found within an archive".
Scanning the rest of files in the archive when it's already known that
it contains at least one infected file is usually just waste of
resources. Of course it's possible to force clamscan to do it, but it's
not a default way. See the URL above.
Also, the number shown in "Scanned files:" means the number of files
scanned directly (in this example: the archive itself), not the number
of files present inside the archive.
As a proof that ClamAV successfully detects the Eicar signature in
zipped file with escape sequences in the filename, you can delete the
eicarcom2.zip from the archive and scan the archive again:
$ unzip -l mixed-eicar.zip
Archive: mixed-eicar.zip
Length Date Time Name
-------- ---- ---- ----
308 03-10-05 12:00 Test^G^[[2J^[[2;5m^[[1;31mHACKER
ATTACK^[[2;25m^[[22;30m^[[3q.txt
-------- -------
308 1 file
$ clamscan mixed-eicar.zip
mixed-eicar.zip: Eicar-Test-Signature FOUND
P.S.
I'm not subscribed to full-disclosure, so please Cc: me in case the
thread continues on full-disclosure.
--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
tomek at clamav.net http://www.ClamAV.net/ A GPL virus scanner
Powered by blists - more mailing lists