Full Disclosure mailing list archives

RE: Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability.

From: "Steve Scholz" <steve_scholz () sybari com>
Date: Fri, 11 Mar 2005 18:00:00 -0500

You are correct by doing this you are marking the zip file as encrypted.

Your option at this time is to turn on the feature delete encrypted
compressed files.

Fri Mar 11 17:59:02 2005 (4320-4292), "INFORMATION: Internet scan found
virus:

   Folder: SMTP Messages\Internal

   Message: test

   File: gpbf.zip

   Incident: EncryptedCompressedFile

   State: Removed"


Steve Scholz
Corporate Sales Engineer-North America
Sybari Software, Inc.
631-630-8556 Direct
516-903-2464 Mobile

Email:  Steve_scholz () sybari com

MSN IM:Steve_Scholz () Msn com (email never checked) 





-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of bipin
gautam
Sent: Friday, March 11, 2005 10:55 AM
To: full-disclosure () lists grok org uk
Cc: vuln () secunia com
Subject: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32
BypassVulnerability.

In Local file header if you modify "general purpose
bit flag" 7th & 8'th byte of a zip archive with \x2f
ie: "\" F-port, Kaspersky, Mcafee, Norman, Sybari,
Symantec seem to skip the file marking it as clean!!!
This was discoverd during the analysis of "Multiple AV
Vendor Incorrect CRC32 Bypass Vulnerability."

Quick/rough conclusion were drawn using
www.virustotal.com

poc: http://www.geocities.com/visitbipin/gpbf.zip

regards,
bipin gautam





                
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Current thread:

RE: Multiple AV Vendor Incorrect CRC32 BypassVulnerability. bipin gautam (Mar 10)
- <Possible follow-ups>
- Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Steve Scholz (Mar 11)
- Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Steve Scholz (Mar 11)
- Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Steve Scholz (Mar 11)
  - RE: Multiple AV Vendor Incorrect CRC32BypassVulnerability. David J. Weaver (Mar 11)
- Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Steve Scholz (Mar 11)
- Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Steve Scholz (Mar 11)
- Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability. bipin gautam (Mar 11)
- RE: Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Steve Scholz (Mar 11)
  - RE: Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability. bipin gautam (Mar 11)