Bugtraq mailing list archives
Re: eSafe: Could this be exploited?
From: "Oliver () greyhat de" <Oliver () greyhat de>
Date: Fri, 23 Jul 2004 21:49:43 +0200
Hugo van der Kooij wrote:
Hi, i saw this "feature" already on other vendors AV-proxes, where this 80% thing is a side effect of http-comforting of the proxy-software.Hi, I had a bit of a chat with Aladdin support regarding the odd results I had with their network virusscanner (aka: eSafe). (see also: http://www.ealaddin.com/esafe/default.asp) Both as NitroEngine or CVP server they will push as much of 80% to the end-user before they stop a virus. Then they rely on the adding of the exact URL so that URL can be blocked in all next requests. If it is a first time hit you can get as much as 80% of the payload on your machine and while they may reset the tcp stream at least IE does store the 80% chunk as if the file was transfered correctly. (This part I tested with over 30 different virus files.) First off this is extremely confusing to the user who just thinks (s)he just had a virus passing their scanner. (And they are about 80% right.) Then the chunk may contain enough to trigger another scanner which may reside on the desktop of said user adding further to the belief this is not a good product. But what if I were to write a really small harmfull virus (say less then 2 ethernet packets)? Or create it in such way that the last 20 to 25% is expendible without loosing it's sting? Is someone able to verify such a virus may work? (I am not a programmer so I can think of the potential breach but I can't verify it is exploitable.) I have a felling it is just a matter of time before such a scanner will be bypassed. Hugo.
Comforting is, that the http-client is not running into an timeout.I think it is possible to generate an exefile, and attach some random data. Whereby the exe file is about 80% and the random data 20%. And also i think, the problem is, that the AV does not exactly stop at 80%. So you have to generate multiple "infected" files with 80/20, 81/19, 82/18 and so on. In Addition you have to test if for example a scripting host file or a binary is still executable, if the last few bytes at the end are garbage. AFAIK does the PE-header on windows .exe files also include a checksum/lof of the file..... if i remember right, this checksum is not utilizised by Win95/Win98, but by W2K/NT- Windows OS. So, there are many circumstances to take care for, but i think it is possible in some cases..... lets try it :)
ok, just some ideas late at night.... :)
Current thread:
- eSafe: Could this be exploited? Hugo van der Kooij (Jul 23)
- Re: eSafe: Could this be exploited? Nick FitzGerald (Jul 24)
- Re: eSafe: Could this be exploited? Oliver () greyhat de (Jul 24)
- Re: eSafe: Could this be exploited? 3APA3A (Jul 24)
- Re: eSafe: Could this be exploited? Andreas Constantinides (MegaHz) (Jul 26)
- Re: eSafe: Could this be exploited? MegaHz (Jul 26)
- Re: eSafe: Could this be exploited? Hugo van der Kooij (Jul 27)
- Re: eSafe: Could this be exploited? Kev Ford (Jul 28)
- Re: eSafe: Could this be exploited? Nick FitzGerald (Jul 31)