Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability.

From: "Randall M" <randallm () fidmail com>
Date: Fri, 11 Mar 2005 18:19:37 -0600
I scanned the file with McAfee 8.0i and it end up stating that it couldn't
scan the EICAR.COM file because it was encrypted. Was this your
Intention?

------------------------------

Message: 16
Date: Fri, 11 Mar 2005 07:55:28 -0800 (PST)
From: bipin gautam <visitbipin () yahoo com>
Subject: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32
        Bypass  Vulnerability.
To: full-disclosure () lists grok org uk
Cc: vuln () secunia com
Message-ID: <20050311155528.91205.qmail () web31511 mail mud yahoo com>
Content-Type: text/plain; charset=us-ascii

In Local file header if you modify "general purpose
bit flag" 7th & 8'th byte of a zip archive with \x2f
ie: "\" F-port, Kaspersky, Mcafee, Norman, Sybari,
Symantec seem to skip the file marking it as clean!!!
This was discoverd during the analysis of "Multiple AV
Vendor Incorrect CRC32 Bypass Vulnerability."

Quick/rough conclusion were drawn using
www.virustotal.com

poc: http://www.geocities.com/visitbipin/gpbf.zip

regards,
bipin gautam

.....................................


RandallM





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: