Full Disclosure mailing list archives

Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability.

From: Frederic Charpentier <fcharpen () xmcopartners com>
Date: Thu, 10 Mar 2005 02:28:55 -0800

Hi, I saw this behaviour last week with the virus "MyDoom.BE".

I use the mail gateway with Clamav/Amavis. Clamav doesn't detect thevirus embeded in the zip file (with a crc broken).

But, Trendmicro detects it.

Fred.

bipin gautam wrote:

Multiple AV Vendor Incorrect CRC32 Bypass
Vulnerability.

Affected Product:
AVG 718
Sybari (Antigen for M$ exchange) 7.5.1314
Symantec 8.0
McAfee 4442
BitDefender 7.0


Description:
if you create a zip archive with invalid CRC
checksum...... some AV skip scanning the archive
marking it as clean........ by this way, you can
bypass antivirus gateways and slip in any attachment
without scanning the archive. Moreover, these days....
software tools automatically repair a *broken*
archive.

Vendor notification: I've lost faith in responsible
disclosure... long ago! Moreover, vendors don't
respond in timely manner.

regards,
Bipin Gautam
http://www.geocities.com/visitbipin/


Disclaimer: The information in the advisory is
believed to be accurate at the time of printing based
on currently available information. Use of the
information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this
information. Neither the author nor the publisher
accepts any liability for any direct, indirect or
consequential loss or damage arising from use of, or
reliance on this information.


__________________________________________________
Do You Yahoo!?

Tired of spam? Yahoo! Mail has the best spam protection aroundhttp://mail.yahoo.com_______________________________________________

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/



--
_______________________________________
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Current thread:

Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. bipin gautam (Mar 09)
- Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. Frederic Charpentier (Mar 10)
- Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. Dr. Peter Bieringer (Mar 10)
- <Possible follow-ups>
- Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. bipin gautam (Mar 10)
  - RE: Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Randall M (Mar 10)
- Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. bipin gautam (Mar 10)
- Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. Lise Moorveld (Mar 11)
- Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. bipin gautam (Mar 11)