Full Disclosure mailing list archives
RE: Re: Multiple AV Vendor IncorrectCRC32BypassVulnerability.
From: "Steve Scholz" <steve_scholz () sybari com>
Date: Sat, 12 Mar 2005 10:33:48 -0500
Sat Mar 12 10:26:35 2005 (4320-4292), "INFORMATION: Internet scan found virus: Folder: SMTP Messages\Internal Message: test b File: Antigen_b.zip Incident: Large uncompressed size State: Removed" The Antigen_s.zip does not contain a valid Eicar this info when repaired and opened is X5O!P%@AP[4\PZX We did catch it with a file filter. Sat Mar 12 10:32:29 2005 (4320-4292), "INFORMATION: Internet scan found virus: Folder: SMTP Messages\Internal Message: Fw: test File: Antigen_s.zip->eicar.com Incident: FILE FILTER= *.com State: Removed" What was your intent with these files? Steve Scholz Corporate Sales Engineer-North America Sybari Software, Inc. 631-630-8556 Direct 516-903-2464 Mobile Email: Steve_scholz () sybari com MSN IM:Steve_Scholz () Msn com (email never checked) -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of bipin gautam Sent: Saturday, March 12, 2005 2:58 AM To: Steve Scholz; vuln () secunia com Cc: full-disclosure () lists grok org uk; vuldb () securityfocus com Subject: RE: [Full-disclosure] Re: Multiple AV Vendor IncorrectCRC32BypassVulnerability.
While it might be a vulnerability if the file is extracted which it hasto be to be executed the desktop scanner will detect it at that time. Multiple layers of defense is your best option As far as number 3 Antigen detects Eicar.
YAP, i never reported Antigen vulnerable to the 3'rd one. Though, In Local file header if you modify "general purpose bit flag" 7th & 8'th byte of a zip archive with \x2f Antigen is also seem to be vulnerable! While most unzip utilities are transperently able to extract SUCH* archive without any problem! Though,currently my only source of verifying this is via www.virustotal.com and some others. [Go, TRY IT THEER!] http://www.geocities.com/visitbipin/gpbf.zip
I can see if there is anything else that you do not think Antigen is doing correctly.
(O; For instant, In the 'local file header" & "data descriptor" if you change the compressed size and uncompressed size to ZERO[iDEFENSE] or greater than the actual file size or less than the actual file size still there are many AV that can't scan the file properly. http://www.geocities.com/visitbipin/Antigen_b.zip http://www.geocities.com/visitbipin/Antigen_s.zip Moreover there are unzip utilities that goes to a loop if the filesize is changed to ffffffff ! Lets hope, AV don't have such faulty code! Just run the file through www.virustotal.com and you'll see. (I know, they aren't using up-to-date scan engine) Thanks, bipin __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- RE: Re: Multiple AV Vendor IncorrectCRC32BypassVulnerability. Steve Scholz (Mar 12)
- Re: [Private]Multiple AV Vendor IncorrectCRC32BypassVulnerability. bipin gautam (Mar 12)