Full Disclosure mailing list archives
Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability.
From: "Randall M" <randallm () fidmail com>
Date: Fri, 11 Mar 2005 18:19:37 -0600
I scanned the file with McAfee 8.0i and it end up stating that it couldn't scan the EICAR.COM file because it was encrypted. Was this your Intention? ------------------------------ Message: 16 Date: Fri, 11 Mar 2005 07:55:28 -0800 (PST) From: bipin gautam <visitbipin () yahoo com> Subject: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. To: full-disclosure () lists grok org uk Cc: vuln () secunia com Message-ID: <20050311155528.91205.qmail () web31511 mail mud yahoo com> Content-Type: text/plain; charset=us-ascii In Local file header if you modify "general purpose bit flag" 7th & 8'th byte of a zip archive with \x2f ie: "\" F-port, Kaspersky, Mcafee, Norman, Sybari, Symantec seem to skip the file marking it as clean!!! This was discoverd during the analysis of "Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability." Quick/rough conclusion were drawn using www.virustotal.com poc: http://www.geocities.com/visitbipin/gpbf.zip regards, bipin gautam ..................................... RandallM
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- RE: Multiple AV Vendor Incorrect CRC32BypassVulnerability. Steve Scholz (Mar 11)
- <Possible follow-ups>
- Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability. Randall M (Mar 11)
- RE: Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability. Steve Scholz (Mar 11)
- RE: Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability. bipin gautam (Mar 11)