Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning

From: "Dr. Peter Bieringer" <pbieringer () aerasec de>
Date: Wed, 16 Mar 2005 10:48:45 +0100
--On Dienstag, 15. März 2005 13:51 -0600 "Michael J. Pomraning" <mjp-bugtraq () securepipe com> wrote: 


   $ /usr/local/bin/sweep -ss -archive -all
unfiltered-escape-sequences-in-filename-eicar.zip     >>> Virus
'EICAR-AV-Test' found in file
unfiltered-escape-sequences-in-filename-eicar.zip/Test_[2J_[2;5m_[1;31mHA
CKER ATTACK_[2;25m_[22;30m_[3q.txt/eicar_com.zip/eicar.com    $ md5sum
unfiltered-escape-sequences-in-filename-eicar.zip
   38363004047dc11b206305bd3660d68f
unfiltered-escape-sequences-in-filename-eicar.zip

This is using engine 2.28.4, as in your tests.  The consituent filenames
are escaped before being displayed, too (sadly excepting ASCII BEL).


Also not ASCII BS, we've created an additional ZIP file for testing:

Available here:
<ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/mixed2-eicar.zip>

$ unzip -l mixed2-eicar.zip
Archive:  mixed2-eicar.zip
 Length     Date   Time    Name
--------    ----   ----    ----
     308  03-10-05 12:00   eicarcom2.zip^H^H^Htxt
     308  03-10-05 12:00   eicarcom2.zip
--------                   -------
     616

$ /usr/local/bin/sweep -sc -nc -ss  -archive -all mixed2-eicar.zip

Virus 'EICAR-AV-Test' found in file
mixed2-eicar.zip/eicarcom2.txt/eicar_com.zip/eicar.com
Virus 'EICAR-AV-Test' found in file
mixed2-eicar.zip/eicarcom2.zip/eicar_com.zip/eicar.com


Note the difference: eicarcom2.txt <-> eicarcom2.zip

Regards,
        Peter
--
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Strasse 1                          Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer () aerasec de
Germany                                Internet: http://www.aerasec.de

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: