Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning

From: "Michael J. Pomraning" <mjp-bugtraq () securepipe com>
Date: Tue, 15 Mar 2005 13:51:55 -0600 (CST)
On Mon, 14 Mar 2005, Dr. Peter Bieringer wrote:


during investigation of Sober.l we got the idea to replace the spaces of a
filename contained in the ZIP archive by some escape sequences.


[...]


Also we found that at least 2 AV scan programs from 2 vendors do not detect
the virus inside and report "clean" instead.


I think Sophos passes the test.  I find that the underlying API (as exposed
by a python wrapper) is able to detect the viruses in all cases.  For the
command line "sweep" utility, try adding the "-all" switch to your
invocation:

   $ /usr/local/bin/sweep -ss -archive -all unfiltered-escape-sequences-in-filename-eicar.zip 
   >>> Virus 'EICAR-AV-Test' found in file 
unfiltered-escape-sequences-in-filename-eicar.zip/Test_[2J_[2;5m_[1;31mHACKER 
ATTACK_[2;25m_[22;30m_[3q.txt/eicar_com.zip/eicar.com
   $ md5sum unfiltered-escape-sequences-in-filename-eicar.zip 
   38363004047dc11b206305bd3660d68f unfiltered-escape-sequences-in-filename-eicar.zip

This is using engine 2.28.4, as in your tests.  The consituent filenames are
escaped before being displayed, too (sadly excepting ASCII BEL).

Regards,
Mike
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: