Full Disclosure mailing list archives
RE: Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability.
From: "Steve Scholz" <steve_scholz () sybari com>
Date: Fri, 11 Mar 2005 18:00:00 -0500
You are correct by doing this you are marking the zip file as encrypted. Your option at this time is to turn on the feature delete encrypted compressed files. Fri Mar 11 17:59:02 2005 (4320-4292), "INFORMATION: Internet scan found virus: Folder: SMTP Messages\Internal Message: test File: gpbf.zip Incident: EncryptedCompressedFile State: Removed" Steve Scholz Corporate Sales Engineer-North America Sybari Software, Inc. 631-630-8556 Direct 516-903-2464 Mobile Email: Steve_scholz () sybari com MSN IM:Steve_Scholz () Msn com (email never checked) -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of bipin gautam Sent: Friday, March 11, 2005 10:55 AM To: full-disclosure () lists grok org uk Cc: vuln () secunia com Subject: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability. In Local file header if you modify "general purpose bit flag" 7th & 8'th byte of a zip archive with \x2f ie: "\" F-port, Kaspersky, Mcafee, Norman, Sybari, Symantec seem to skip the file marking it as clean!!! This was discoverd during the analysis of "Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability." Quick/rough conclusion were drawn using www.virustotal.com poc: http://www.geocities.com/visitbipin/gpbf.zip regards, bipin gautam __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- RE: Multiple AV Vendor Incorrect CRC32 BypassVulnerability. bipin gautam (Mar 10)
- <Possible follow-ups>
- Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Steve Scholz (Mar 11)
- Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Steve Scholz (Mar 11)
- Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Steve Scholz (Mar 11)
- RE: Multiple AV Vendor Incorrect CRC32BypassVulnerability. David J. Weaver (Mar 11)
- Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Steve Scholz (Mar 11)
- Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Steve Scholz (Mar 11)
- Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability. bipin gautam (Mar 11)
- RE: Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Steve Scholz (Mar 11)
- RE: Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability. bipin gautam (Mar 11)