Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability.

[bipin gautam <visitbipin () yahoo com>]

eicar.com.txtX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TE
>
<mailto:eicar.com.txtX5O!P%25@AP%5b4\PZX54(P%5e)7CC)7%7d$EICAR-STANDARD-
> ANTIVIRUS-TE>  in the text file rather then a valid
> eicar. 
yap, i admit; i was uploaded the file... and soon
relized i uploaded the wrong file. But, i think for
altest about 30 minutes i couldn't do anything cauz i
was still getting the "OLD" damaged POC from geocities
cache "i guess" So, i instead later put a message,
last updated time, (UPDATED: 5:40:00 GMT, Friday,
March 11, 2005 ) at,
http://www.geocities.com/visitbipin/crc.html

CHECKED, & double-checked using virustotal.com lately
and found Sybari 7.5.1314 vulnerable!

> Well, technically these would be separate
> vulnerabilities, wouldn't you say?

well... you can modify general purpose bit flag of,
last mod file time, last mod file date,general purpose
bit flag, compression method [NOT: compression method 
 or that will damage the archive] i replace them with
"\x2f".

md5sum of the updated POC.
4888816c4931002a6027ccd7b1025a94

The one tool that i am currently using that
automatically repare a broken archive (During
extraction) is "Download accelerator plus: 5.3.9.8"
with just a simple warning about the mis-match CRC

  




                
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/