Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning

From: Nigel Horne <njh () bandsman co uk>
Date: Tue, 15 Mar 2005 21:06:05 +0000
On Tuesday 15 Mar 2005 17:29, Rodrigo Barbosa wrote:

On Tue, Mar 15, 2005 at 05:45:58PM +0100, Dr. Peter Bieringer wrote:

I STIL FIND IT happy to
see there are lot of AV out there that cant scan such
file properly to detect virus.


The problem must be located in the unzip engine:

We've created a mixed ZIP now:

# unzip -l mixed-eicar.zip
Archive:  mixed-eicar.zip
 Length     Date   Time    Name
--------    ----   ----    ----
     308  03-10-05 12:00   Test^G^[[2J^[[2;5m^[[1;31mHACKER
ATTACK^[[2;25m^[[22;30m^[[3q.txt
     308  03-10-05 12:00   eicarcom2.zip
--------                   -------
     616                   2 files


BTW: note here that "unzip" displays the escape sequences very proper!

Available here:
<ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/mixed-eicar.zip>

Some AV software detect the virus only in second part of the ZIP file, so
it looks like the first one is really skipped and not analysed.


F-Prot seems to detect it correctly:


As does clamAV:
[njh@njh tmp]$ clamscan mixed-eicar.zip
mixed-eicar.zip: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 31606
Engine version: devel-20050312
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Time: 0.501 sec (0 m 0 s)

-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
njh () despammed com http://www.bandsman.co.uk
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: