Full Disclosure mailing list archives
RE: Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability.
From: bipin gautam <visitbipin () yahoo com>
Date: Fri, 11 Mar 2005 23:57:40 -0800 (PST)
While it might be a vulnerability if the file is extracted which it hasto be to be executed the desktop scanner will detect it at that time. Multiple layers of defense is your best option As far as number 3 Antigen detects Eicar.
YAP, i never reported Antigen vulnerable to the 3'rd one. Though, In Local file header if you modify "general purpose bit flag" 7th & 8'th byte of a zip archive with \x2f Antigen is also seem to be vulnerable! While most unzip utilities are transperently able to extract SUCH* archive without any problem! Though,currently my only source of verifying this is via www.virustotal.com and some others. [Go, TRY IT THEER!] http://www.geocities.com/visitbipin/gpbf.zip
I can see if there is anything else that you do not think Antigen is doing correctly.
(O; For instant, In the 'local file header" & "data descriptor" if you change the compressed size and uncompressed size to ZERO[iDEFENSE] or greater than the actual file size or less than the actual file size still there are many AV that can't scan the file properly. http://www.geocities.com/visitbipin/Antigen_b.zip http://www.geocities.com/visitbipin/Antigen_s.zip Moreover there are unzip utilities that goes to a loop if the filesize is changed to ffffffff ! Lets hope, AV don't have such faulty code! Just run the file through www.virustotal.com and you'll see. (I know, they aren't using up-to-date scan engine) Thanks, bipin __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- RE: Multiple AV Vendor Incorrect CRC32BypassVulnerability. Steve Scholz (Mar 11)
- <Possible follow-ups>
- Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability. Randall M (Mar 11)
- RE: Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability. Steve Scholz (Mar 11)
- RE: Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability. bipin gautam (Mar 11)