Full Disclosure mailing list archives
RE: Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability.
From: bipin gautam <visitbipin () yahoo com>
Date: Fri, 11 Mar 2005 18:32:42 -0800 (PST)
1'st issue: Could anyone verify the existance of both vulnebrility in *Symantec products* cauz it seems like symantec engineers got the *old* broken file that i reported lately and couldn't reproduce the thing. I tried reporting the issue but the message had a broken eicarta string so i think the message wasn't deliverd! I uploaded a wrong file before and the same old file kept on comming from the servers cache. I was able to transperently extract the broken CRC archive using Download accelerator Plus(5.3) with just a warning message. 2'nd issue: NOP, the zip file wasn't "ACTUALLY" encrypted. Nor, anything else in the archive was modified! The archive can be normally be extracted by any unzip utility. I did tested it with winrar 3.2 & with default zip manager of winxp (sp2). 3'rd issue(NEW): Well, tested with F-prot, DrWeb, *Symantec 8.0 long ago... lately verified it using virustotal.com If you have a long archive coment... in a zip archive these AV can't detect virus embedded in it. though a frend of mine reported me symantec 8.1 is immune to the bug. POC: http://www.geocities.com/visitbipin/long_coment.zip --- Randall M <randallm () fidmail com> wrote:
I scanned the file with McAfee 8.0i and it end up stating that it couldn't scan the EICAR.COM file because it was encrypted. Was this your Intention? ------------------------------
--- Steve Scholz <steve_scholz () sybari com> wrote:
You are correct by doing this you are marking the zip file as encrypted. Your option at this time is to turn on the feature delete encrypted compressed files.
Steve Scholz Corporate Sales Engineer-North America Sybari Software, Inc. 631-630-8556 Direct 516-903-2464 Mobile Email: Steve_scholz () sybari com -----Original Message----- From: full-disclosure-bounces () lists grok org uk Subject: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability. In Local file header if you modify "general purpose bit flag" 7th & 8'th byte of a zip archive with \x2f ie: "\" F-port, Kaspersky, Mcafee, Norman, Sybari, Symantec seem to skip the file marking it as clean!!! This was discoverd during the analysis of "Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability." Quick/rough conclusion were drawn using www.virustotal.com poc: http://www.geocities.com/visitbipin/gpbf.zip regards, bipin gautam
__________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- RE: Multiple AV Vendor Incorrect CRC32 BypassVulnerability. bipin gautam (Mar 10)
- <Possible follow-ups>
- Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Steve Scholz (Mar 11)
- Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Steve Scholz (Mar 11)
- Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Steve Scholz (Mar 11)
- RE: Multiple AV Vendor Incorrect CRC32BypassVulnerability. David J. Weaver (Mar 11)
- Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Steve Scholz (Mar 11)
- Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Steve Scholz (Mar 11)
- Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability. bipin gautam (Mar 11)
- RE: Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Steve Scholz (Mar 11)
- RE: Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability. bipin gautam (Mar 11)