Full Disclosure mailing list archives
Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning
From: "Michael J. Pomraning" <mjp-bugtraq () securepipe com>
Date: Tue, 15 Mar 2005 13:51:55 -0600 (CST)
On Mon, 14 Mar 2005, Dr. Peter Bieringer wrote:
during investigation of Sober.l we got the idea to replace the spaces of a filename contained in the ZIP archive by some escape sequences.
[...]
Also we found that at least 2 AV scan programs from 2 vendors do not detect the virus inside and report "clean" instead.
I think Sophos passes the test. I find that the underlying API (as exposed by a python wrapper) is able to detect the viruses in all cases. For the command line "sweep" utility, try adding the "-all" switch to your invocation: $ /usr/local/bin/sweep -ss -archive -all unfiltered-escape-sequences-in-filename-eicar.zip >>> Virus 'EICAR-AV-Test' found in file unfiltered-escape-sequences-in-filename-eicar.zip/Test_[2J_[2;5m_[1;31mHACKER ATTACK_[2;25m_[22;30m_[3q.txt/eicar_com.zip/eicar.com $ md5sum unfiltered-escape-sequences-in-filename-eicar.zip 38363004047dc11b206305bd3660d68f unfiltered-escape-sequences-in-filename-eicar.zip This is using engine 2.28.4, as in your tests. The consituent filenames are escaped before being displayed, too (sadly excepting ASCII BEL). Regards, Mike _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 14)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Michael J. Pomraning (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Thierry Zoller (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Thierry Zoller (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 16)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Michael J. Pomraning (Mar 15)