Full Disclosure mailing list archives

Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability.

From: bipin gautam <visitbipin () yahoo com>
Date: Fri, 11 Mar 2005 07:55:28 -0800 (PST)

In Local file header if you modify "general purpose
bit flag" 7th & 8'th byte of a zip archive with \x2f
ie: "\" F-port, Kaspersky, Mcafee, Norman, Sybari,
Symantec seem to skip the file marking it as clean!!!
This was discoverd during the analysis of "Multiple AV
Vendor Incorrect CRC32 Bypass Vulnerability."

Quick/rough conclusion were drawn using
www.virustotal.com

poc: http://www.geocities.com/visitbipin/gpbf.zip

regards,
bipin gautam





                
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Current thread:

Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. bipin gautam (Mar 09)
- Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. Frederic Charpentier (Mar 10)
- Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. Dr. Peter Bieringer (Mar 10)
- <Possible follow-ups>
- Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. bipin gautam (Mar 10)
  - RE: Multiple AV Vendor Incorrect CRC32 BypassVulnerability. Randall M (Mar 10)
- Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. bipin gautam (Mar 10)
- Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. Lise Moorveld (Mar 11)
- Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. bipin gautam (Mar 11)