Full Disclosure mailing list archives
Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning
From: "Dr. Peter Bieringer" <pbieringer () aerasec de>
Date: Tue, 15 Mar 2005 17:45:58 +0100
--On Dienstag, 15. März 2005 08:34 -0800 bipin gautam <visitbipin () yahoo com> wrote:
I STIL FIND IT happy to see there are lot of AV out there that cant scan such file properly to detect virus.
The problem must be located in the unzip engine: We've created a mixed ZIP now: # unzip -l mixed-eicar.zip Archive: mixed-eicar.zip Length Date Time Name -------- ---- ---- ----308 03-10-05 12:00 Test^G^[[2J^[[2;5m^[[1;31mHACKER ATTACK^[[2;25m^[[22;30m^[[3q.txt
308 03-10-05 12:00 eicarcom2.zip -------- ------- 616 2 files BTW: note here that "unzip" displays the escape sequences very proper! Available here: <ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/mixed-eicar.zip>Some AV software detect the virus only in second part of the ZIP file, so it looks like the first one is really skipped and not analysed.
Peter -- Dr. Peter Bieringer Phone: +49-8102-895190 AERAsec Network Services and Security GmbH Fax: +49-8102-895199 Wagenberger Strasse 1 Mobile: +49-174-9015046 D-85662 Hohenbrunn E-Mail: pbieringer () aerasec de Germany Internet: http://www.aerasec.de _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning bipin gautam (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning bipin gautam (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Rodrigo Barbosa (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Nigel Horne (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Rodrigo Barbosa (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Tomasz Papszun (Mar 17)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning bipin gautam (Mar 15)
- RE: Unfiltered escape sequences in filenamescontained in ZIP archives wouldn't be escaped on displaying orlogging, and can also lead to bypass AV scanning Debasis Mohanty (Mar 15)
- Re: Av issues Thierry Zoller (Mar 15)
- Re: Av issues bipin gautam (Mar 16)
- RE: Re: Av issues Sean Crawford (Mar 16)
- RE: Re: Av issues bipin gautam (Mar 16)