RE: Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability.

[bipin gautam <visitbipin () yahoo com>]

1'st issue: Could anyone verify the existance of both
vulnebrility in *Symantec products* cauz it seems like
symantec engineers got the *old* broken file that i
reported lately and couldn't reproduce the thing. I
tried reporting the issue but the message had a broken
eicarta string so i think the message wasn't deliverd!
I uploaded a wrong file before and the same old file
kept on comming from the servers cache. I was able to
transperently extract the broken CRC archive using
Download accelerator Plus(5.3) with just a warning
message.

2'nd issue: NOP, the zip file wasn't "ACTUALLY"
encrypted.  Nor, anything else in the archive was
modified! The archive can be normally be extracted by
any unzip utility. I did tested it with winrar 3.2 &
with default zip manager of winxp (sp2).

3'rd issue(NEW): Well, tested with F-prot, DrWeb,
*Symantec 8.0 long ago... lately verified it using
virustotal.com If you have a long archive coment... in
a zip archive these AV can't detect virus embedded in
it. though a frend of mine reported me symantec 8.1 is
immune to the bug.

POC:
http://www.geocities.com/visitbipin/long_coment.zip


--- Randall M <randallm () fidmail com> wrote:
> I scanned the file with McAfee 8.0i and it end up
> stating that it couldn't
> scan the EICAR.COM file because it was encrypted.
> Was this your
> Intention?
>
> ------------------------------
--- Steve Scholz <steve_scholz () sybari com> wrote:

> You are correct by doing this you are marking the
> zip file as encrypted.
>
> Your option at this time is to turn on the feature
> delete encrypted
> compressed files.

> Steve Scholz
> Corporate Sales Engineer-North America
> Sybari Software, Inc.
> 631-630-8556 Direct
> 516-903-2464 Mobile
>
> Email:  Steve_scholz () sybari com
>
> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk
> Subject: [Full-disclosure] Re: Multiple AV Vendor
> Incorrect CRC32
> BypassVulnerability.
>
> In Local file header if you modify "general purpose
> bit flag" 7th & 8'th byte of a zip archive with \x2f
> ie: "\" F-port, Kaspersky, Mcafee, Norman, Sybari,
> Symantec seem to skip the file marking it as
> clean!!!
> This was discoverd during the analysis of "Multiple
> AV
> Vendor Incorrect CRC32 Bypass Vulnerability."
>
> Quick/rough conclusion were drawn using
> www.virustotal.com
>
> poc: http://www.geocities.com/visitbipin/gpbf.zip
>
> regards,
> bipin gautam



                
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/