RE: Multiple AVVendorIncorrectCRC32BypassVulnerability.

["Steve Scholz" <steve_scholz () sybari com>]

?
Sure it is a fair comment. Eicar a test file has been corrupt by you changing the archive. Do this with a real virus 
where the av scan engine looks at all the content and if certain portians are there it detects it. This poc only works 
with eicar not any known virus, to me that is no vulnerability.
Steve

________________________________

From: bipin gautam [mailto:visitbipin () yahoo com]
Sent: Sun 3/13/2005 9:06 AM
To: Steve Scholz
Cc: vuln () secunia com; full-disclosure () lists grok org uk; bugtraq () securityfocus com
Subject: RE: [Full-disclosure] Multiple AVVendorIncorrectCRC32BypassVulnerability.




--- Steve Scholz <steve_scholz () sybari com> wrote:

> ?
> Hi Bipin,
> Well just by definition of what eicar is all you did
> was corrupt a file and made it not useable. I am
> sure that any other executable would do the same.
> Try it with a real virus I am sure there will be
> enough code for the AV scanners to detect.

thats not fair to coment...

DID I CORRUPT THE eicar test string? no i didn't...

what did i did... then?
In the  "local file header" & "data descriptor"  of
the archive i just  changed the compressed size and
uncompressed size of the archive to greater than the
actual file size.

who then? well, your unzip utility did... so did the
unzip utility built-in your AV scanner so that the
eicar was undetectable to most AV cauz they just check
the hash of the file to detect eicarts!

Result:
Unzip utilities and AV will successfully extract such
archive with filling some garbage data \x00 at the end
.(because the uncompressed file size was fake)  still,
Any malicious code can execute without any problem
with the garbage at its bottom. This will successfully
bypass AV detection "even for a known malicious code",
"MOST OF THE TIME" if the AV detects the executable
comparing its total checksum!

Its true for some of those simple little viruses,
isn't it?

I didn't altered the eicar test string... in any ways.
Have a hex dump of the file and see the intact string
for yourself!

)O;    is my english that bad... so that i can't
communicate properly?

I hope you understood what i mean to explain.
Moreover, If you are able to forge the CRC right,
'some' old av may even try to quarentine the test
virus (if it detect that) in either way it might still
result in a DoS if the uncompressed file size is
forged to few hunderd mb!@

if you are still unclear about the issue, and wounder
how the garbage data came at the end of the file...

http://www.geocities.com/visitbipin/winrar.html
This old advisory of mine should explain you clearly.
bipin





> --- Steve Scholz <steve_scholz () sybari com> wrote:
> > Hi Bipin,
> > By design Eicar needs to be the exact string and
> on
> > the first line with nothing else following it. So
> > the file is not actually an Eicar I get this with
> > advanced zip repair. So now we won't detect this
> > because it is not Eicar.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*PK

> >      /é°¦quot;F?-?sp  ?sp          
       
> eicar.comPK
> >    
 
 7   k
>
> "not Eicar" so???     (O; It exactly did what it was
> intended to! TRY IT WITH OTHER EXECUDABLES THEN.
>
> In the 'local file header" & "data descriptor" if
> you
> change the compressed size and uncompressed size to
> greater than the actual file size there are many AV
> that can't scan the file properly.
> Most, unzip utilities will successfully extract such
> archive with some garbage data \x00 at the end "255
> bytes. (SO DOES THE AV ENGINE)  The garbage data
> doesn't *that matter because any malicious code can
> "execute without any problem" with still the garbage
> at its end. "This will successfully bypass AV
> detection even for a known malicious code!"  "MOST
> OF
> THE TIME" if the AV detects the executable comparing
> its total checksum!
>
> (but for effectiveness, FORGE  the crc, first for
> real
> effectiveness)
>
>
>
> regards,
> bipin gautam
> get the updates in this issue at:
> http://www.geocities.com/visitbipin/
>
> secunia.com;
> > full-disclosure () lists grok org uk;
> > bugtraq () securityfocus com
> > Subject: [Full-disclosure] Re: [Private]Multiple
> AV
> > VendorIncorrectCRC32BypassVulnerability.
> >
> > Steve,
> > firstly... thankyou for all your coments.
> >
> > > The Antigen_s.zip does not contain a valid Eicar
> > > this info when repaired
> > > and opened is X5O!P%@AP[4\PZX
> > > We did catch it with a file filter.
> > > What was your intent with these files?
> >
> > OOPS! again my fault!!!
> > TRY:
> http://www.geocities.com/visitbipin/Antigen.zip
> > my intension was to show, if the archive has
> > compressed size and uncompressed size set to
> greater
> > than the actual file size or less than the actual
> > file
> > size there are many AV that can't scan the file
> > properly.
> >
> > send
> > http://www.geocities.com/visitbipin/Antigen.zip
> >  to virustotal.com and see for yourself!!!
> >
> > Download Accelerator successfully repairs this
> > archive
> > with some garbage data \x00 at the end "255 bytes"
> > Though, i was able to successfully execute
> eicar.com
> > -bipin
> > updates at:
> > http://www.geocities.com/visitbipin/crc.html
> > ___________________My
> report!_______________________
> > This is a report processed by VirusTotal on
> > 03/12/2005
> > at 18:38:32 (CET) after scanning the file
> > "Antigen.zip" file.
> >
> > Antivirus     Version Update  Result   
> > AntiVir       6.30.0.5 03.11.2005   
> Eicar-Test-Signature     
> > AVG   718     03.11.2005      EICAR_Test (+187)  
>     
> > BitDefender 7.0       03.12.2005      no virus
> found   
> > ClamAV        devel-20050307  03.10.2005
> > Eicar-Test-Signature
> >
> > DrWeb 4.32b   03.12.2005 no virus found        
> > eTrust-Iris 7.1.194.0 03.12.2005 no virus found  
>     
> > eTrust-Vet 11.7.0.0 03.11.2005 no virus found  
> > Fortinet 2.51 03.11.2005      no virus found   
> > F-Prot        3.16a   03.11.2005    
> EICAR_Test_File  
> > Ikarus        2.32    03.11.2005    
> EICAR-ANTIVIRUS-TESTFILE         
> > Kaspersky     4.0.2.24        03.12.2005    
> EICAR-Test-File  
> > McAfee        4445    03.11.2005      no virus
> found   
> > NOD32v2       1.1024  03.11.2005      archive
> damaged  
> > Norman        5.70.10 03.10.2005      no virus
> found   
> > Panda 8.02.00 03.12.2005      Eicar.Mod        
> > Sybari        7.5.1314 03.12.2005     no virus
> found   
> > Symantec 8.0  03.11.2005      no virus found 
>
>
>               



               
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/