Full Disclosure mailing list archives
RE: Multiple AVVendorIncorrectCRC32BypassVulnerability.
From: "Steve Scholz" <steve_scholz () sybari com>
Date: Sun, 13 Mar 2005 09:49:24 -0500
? Sure it is a fair comment. Eicar a test file has been corrupt by you changing the archive. Do this with a real virus where the av scan engine looks at all the content and if certain portians are there it detects it. This poc only works with eicar not any known virus, to me that is no vulnerability. Steve ________________________________ From: bipin gautam [mailto:visitbipin () yahoo com] Sent: Sun 3/13/2005 9:06 AM To: Steve Scholz Cc: vuln () secunia com; full-disclosure () lists grok org uk; bugtraq () securityfocus com Subject: RE: [Full-disclosure] Multiple AVVendorIncorrectCRC32BypassVulnerability. --- Steve Scholz <steve_scholz () sybari com> wrote:
? Hi Bipin, Well just by definition of what eicar is all you did was corrupt a file and made it not useable. I am sure that any other executable would do the same. Try it with a real virus I am sure there will be enough code for the AV scanners to detect.
thats not fair to coment... DID I CORRUPT THE eicar test string? no i didn't... what did i did... then? In the "local file header" & "data descriptor" of the archive i just changed the compressed size and uncompressed size of the archive to greater than the actual file size. who then? well, your unzip utility did... so did the unzip utility built-in your AV scanner so that the eicar was undetectable to most AV cauz they just check the hash of the file to detect eicarts! Result: Unzip utilities and AV will successfully extract such archive with filling some garbage data \x00 at the end .(because the uncompressed file size was fake) still, Any malicious code can execute without any problem with the garbage at its bottom. This will successfully bypass AV detection "even for a known malicious code", "MOST OF THE TIME" if the AV detects the executable comparing its total checksum! Its true for some of those simple little viruses, isn't it? I didn't altered the eicar test string... in any ways. Have a hex dump of the file and see the intact string for yourself! )O; is my english that bad... so that i can't communicate properly? I hope you understood what i mean to explain. Moreover, If you are able to forge the CRC right, 'some' old av may even try to quarentine the test virus (if it detect that) in either way it might still result in a DoS if the uncompressed file size is forged to few hunderd mb!@ if you are still unclear about the issue, and wounder how the garbage data came at the end of the file... http://www.geocities.com/visitbipin/winrar.html This old advisory of mine should explain you clearly. bipin
--- Steve Scholz <steve_scholz () sybari com> wrote:Hi Bipin, By design Eicar needs to be the exact string andonthe first line with nothing else following it. So the file is not actually an Eicar I get this with advanced zip repair. So now we won't detect this because it is not Eicar.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*PK
/é°¦quot;F?-?sp ?speicar.comPK7 k"not Eicar" so??? (O; It exactly did what it was intended to! TRY IT WITH OTHER EXECUDABLES THEN. In the 'local file header" & "data descriptor" if you change the compressed size and uncompressed size to greater than the actual file size there are many AV that can't scan the file properly. Most, unzip utilities will successfully extract such archive with some garbage data \x00 at the end "255 bytes. (SO DOES THE AV ENGINE) The garbage data doesn't *that matter because any malicious code can "execute without any problem" with still the garbage at its end. "This will successfully bypass AV detection even for a known malicious code!" "MOST OF THE TIME" if the AV detects the executable comparing its total checksum! (but for effectiveness, FORGE the crc, first for real effectiveness) regards, bipin gautam get the updates in this issue at: http://www.geocities.com/visitbipin/ secunia.com;full-disclosure () lists grok org uk; bugtraq () securityfocus com Subject: [Full-disclosure] Re: [Private]MultipleAVVendorIncorrectCRC32BypassVulnerability. Steve, firstly... thankyou for all your coments.The Antigen_s.zip does not contain a valid Eicar this info when repaired and opened is X5O!P%@AP[4\PZX We did catch it with a file filter. What was your intent with these files?OOPS! again my fault!!! TRY:http://www.geocities.com/visitbipin/Antigen.zipmy intension was to show, if the archive has compressed size and uncompressed size set togreaterthan the actual file size or less than the actual file size there are many AV that can't scan the file properly. send http://www.geocities.com/visitbipin/Antigen.zip to virustotal.com and see for yourself!!! Download Accelerator successfully repairs this archive with some garbage data \x00 at the end "255 bytes" Though, i was able to successfully executeeicar.com-bipin updates at: http://www.geocities.com/visitbipin/crc.html ___________________Myreport!_______________________This is a report processed by VirusTotal on 03/12/2005 at 18:38:32 (CET) after scanning the file "Antigen.zip" file. Antivirus Version Update Result AntiVir 6.30.0.5 03.11.2005Eicar-Test-SignatureAVG 718 03.11.2005 EICAR_Test (+187)BitDefender 7.0 03.12.2005 no virusfoundClamAV devel-20050307 03.10.2005 Eicar-Test-Signature DrWeb 4.32b 03.12.2005 no virus found eTrust-Iris 7.1.194.0 03.12.2005 no virus foundeTrust-Vet 11.7.0.0 03.11.2005 no virus found Fortinet 2.51 03.11.2005 no virus found F-Prot 3.16a 03.11.2005EICAR_Test_FileIkarus 2.32 03.11.2005EICAR-ANTIVIRUS-TESTFILEKaspersky 4.0.2.24 03.12.2005EICAR-Test-FileMcAfee 4445 03.11.2005 no virusfoundNOD32v2 1.1024 03.11.2005 archivedamagedNorman 5.70.10 03.10.2005 no virusfoundPanda 8.02.00 03.12.2005 Eicar.Mod Sybari 7.5.1314 03.12.2005 no virusfoundSymantec 8.0 03.11.2005 no virus found
__________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- RE: Multiple AVVendorIncorrectCRC32BypassVulnerability. Steve Scholz (Mar 12)
- RE: Multiple AVVendorIncorrectCRC32BypassVulnerability. bipin gautam (Mar 13)
- <Possible follow-ups>
- RE: Multiple AVVendorIncorrectCRC32BypassVulnerability. Steve Scholz (Mar 13)