Full Disclosure mailing list archives
Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning
From: Nigel Horne <njh () bandsman co uk>
Date: Tue, 15 Mar 2005 21:06:05 +0000
On Tuesday 15 Mar 2005 17:29, Rodrigo Barbosa wrote:
On Tue, Mar 15, 2005 at 05:45:58PM +0100, Dr. Peter Bieringer wrote:I STIL FIND IT happy to see there are lot of AV out there that cant scan such file properly to detect virus.The problem must be located in the unzip engine: We've created a mixed ZIP now: # unzip -l mixed-eicar.zip Archive: mixed-eicar.zip Length Date Time Name -------- ---- ---- ---- 308 03-10-05 12:00 Test^G^[[2J^[[2;5m^[[1;31mHACKER ATTACK^[[2;25m^[[22;30m^[[3q.txt 308 03-10-05 12:00 eicarcom2.zip -------- ------- 616 2 files BTW: note here that "unzip" displays the escape sequences very proper! Available here: <ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/mixed-eicar.zip> Some AV software detect the virus only in second part of the ZIP file, so it looks like the first one is really skipped and not analysed.F-Prot seems to detect it correctly:
As does clamAV: [njh@njh tmp]$ clamscan mixed-eicar.zip mixed-eicar.zip: Eicar-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Known viruses: 31606 Engine version: devel-20050312 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Time: 0.501 sec (0 m 0 s) -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 njh () despammed com http://www.bandsman.co.uk _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning bipin gautam (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning bipin gautam (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Rodrigo Barbosa (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Nigel Horne (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Rodrigo Barbosa (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Tomasz Papszun (Mar 17)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning bipin gautam (Mar 15)
- RE: Unfiltered escape sequences in filenamescontained in ZIP archives wouldn't be escaped on displaying orlogging, and can also lead to bypass AV scanning Debasis Mohanty (Mar 15)
- Re: Av issues Thierry Zoller (Mar 15)
- Re: Av issues bipin gautam (Mar 16)
- RE: Re: Av issues Sean Crawford (Mar 16)
- RE: Re: Av issues bipin gautam (Mar 16)
- Re: Re: Av issues Thierry Zoller (Mar 16)