Full Disclosure mailing list archives
RE: Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability.
From: "Steve Scholz" <steve_scholz () sybari com>
Date: Fri, 11 Mar 2005 23:22:09 -0500
" Nor, anything else in the archive was modified!" You changed the bit that determines if the zip is encrypted! In Local file header if you modify "general purpose bit flag" 7th & 8'th byte of a zip archive with \x2f You changed bit 0 by making the above changes. general purpose bit flag: (2 bytes) Bit 0: If set, indicates that the file is encrypted. (For Method 6 - Imploding) Bit 1: If the compression method used was type 6, Imploding, then this bit, if set, indicates an 8K sliding dictionary was used. If clear, then a 4K sliding dictionary was used. Bit 2: If the compression method used was type 6, Imploding, then this bit, if set, indicates 3 Shannon-Fano trees were used to encode the sliding dictionary output. If clear, then 2 Shannon-Fano trees were used. (For Methods 8 and 9 - Deflating) Bit 2 Bit 1 0 0 Normal (-en) compression option was used. 0 1 Maximum (-exx/-ex) compression option was used. 1 0 Fast (-ef) compression option was used. 1 1 Super Fast (-es) compression option was used. Note: Bits 1 and 2 are undefined if the compression method is any other. Bit 3: If this bit is set, the fields crc-32, compressed size and uncompressed size are set to zero in the local header. The correct values are put in the data descriptor immediately following the compressed data. (Note: PKZIP version 2.04g for DOS only recognizes this bit for method 8 compression, newer versions of PKZIP recognize this bit for any compression method.) Bit 4: Reserved for use with method 8, for enhanced deflating. Bit 5: If this bit is set, this indicates that the file is compressed patched data. (Note: Requires PKZIP version 2.70 or greater) Bit 6: Strong encryption. If this bit is set, you should set the version needed to extract value to at least 50 and you must also set bit 0. If AES encryption is used, the version needed to extract value must be at least 51. Bit 7: Currently unused. Bit 8: Currently unused. Bit 9: Currently unused. Bit 10: Currently unused. Bit 11: Currently unused. Bit 12: Reserved by PKWARE for enhanced compression. Bit 13: Used when encrypting the Central Directory to indicate selected data values in the Local Header are masked to hide their actual values. See the section describing the Strong Encryption Specification for details. Bit 14: Reserved by PKWARE. Bit 15: Reserved by PKWARE. By doing this you did flip the bit that determines if a pkzip type file is considered encrypted. While the file itself might not be you made the program think that it is. I believe this counts as changing something in the archive please correct me if I am wrong. And since all encrypted files can contain viruses with a password in the email it would be a very good idea to delete encrypted zip files from emails. As I have already stated Antigen by default has the ability to do such a thing. Also even if the archive is not encrypted and the header info has been changed to trick the decompression utility to believe it is then it should be deleted. While it might be a vulnerability if the file is extracted which it has to be to be executed the desktop scanner will detect it at that time. Multiple layers of defense is your best option As far as number 3 Antigen detects Eicar. Antigen for SMTP found long_coment.zip->eicar.com.txt infected with the EICAR test string virus. The file is currently Removed. The message, "test", was sent from Steve Test and was discovered in SMTP Messages\Internal located at Sybari Software/SYB-NY-ASD. Number 1. Well you had both the crc change and the change to the general purpose bit flag combined. Once I changed this back to 00 00 as a normal non encrypted archive would be while leaving your crc change in place Antigen detected it with no problem. Antigen for SMTP found crc.zip->eicar.com infected with EICAR_Test_file_not_a_virus virus. The file is currently Removed. The message, "test", was sent from Steve Test and was discovered in SMTP Messages\Internal located at Sybari Software/SYB-NY-ASD. I have included my version of your crc.zip the password is crc please let me know if this is what you intended for the file to do. Also feel free to contact me or give me a phone number I can contact you by so I can see if there is anything else that you do not think Antigen is doing correctly. Steve Scholz Corporate Sales Engineer-North America Sybari Software, Inc. 631-630-8556 Direct 516-903-2464 Mobile Email: Steve_scholz () sybari com MSN IM:Steve_Scholz () Msn com (email never checked) -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of bipin gautam Sent: Friday, March 11, 2005 9:33 PM To: full-disclosure () lists grok org uk; vuldb () securityfocus com Cc: vuln () secunia com Subject: RE: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability. 1'st issue: Could anyone verify the existance of both vulnebrility in *Symantec products* cauz it seems like symantec engineers got the *old* broken file that i reported lately and couldn't reproduce the thing. I tried reporting the issue but the message had a broken eicarta string so i think the message wasn't deliverd! I uploaded a wrong file before and the same old file kept on comming from the servers cache. I was able to transperently extract the broken CRC archive using Download accelerator Plus(5.3) with just a warning message. 2'nd issue: NOP, the zip file wasn't "ACTUALLY" encrypted. Nor, anything else in the archive was modified! The archive can be normally be extracted by any unzip utility. I did tested it with winrar 3.2 & with default zip manager of winxp (sp2). 3'rd issue(NEW): Well, tested with F-prot, DrWeb, *Symantec 8.0 long ago... lately verified it using virustotal.com If you have a long archive coment... in a zip archive these AV can't detect virus embedded in it. though a frend of mine reported me symantec 8.1 is immune to the bug. POC: http://www.geocities.com/visitbipin/long_coment.zip --- Randall M <randallm () fidmail com> wrote:
I scanned the file with McAfee 8.0i and it end up stating that it couldn't scan the EICAR.COM file because it was encrypted. Was this your Intention? ------------------------------
--- Steve Scholz <steve_scholz () sybari com> wrote:
You are correct by doing this you are marking the zip file as encrypted. Your option at this time is to turn on the feature delete encrypted compressed files.
Steve Scholz Corporate Sales Engineer-North America Sybari Software, Inc. 631-630-8556 Direct 516-903-2464 Mobile Email: Steve_scholz () sybari com -----Original Message----- From: full-disclosure-bounces () lists grok org uk Subject: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32 BypassVulnerability. In Local file header if you modify "general purpose bit flag" 7th & 8'th byte of a zip archive with \x2f ie: "\" F-port, Kaspersky, Mcafee, Norman, Sybari, Symantec seem to skip the file marking it as clean!!! This was discoverd during the analysis of "Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability." Quick/rough conclusion were drawn using www.virustotal.com poc: http://www.geocities.com/visitbipin/gpbf.zip regards, bipin gautam
__________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Attachment:
crc changed.zip
Description: crc changed.zip
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- RE: Multiple AV Vendor Incorrect CRC32BypassVulnerability. Steve Scholz (Mar 11)
- <Possible follow-ups>
- Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability. Randall M (Mar 11)
- RE: Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability. Steve Scholz (Mar 11)
- RE: Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability. bipin gautam (Mar 11)