Full Disclosure mailing list archives
Re: NUL Character Evasion
From: "Williams, James K" <James.Williams () ca com>
Date: Fri, 16 Sep 2005 12:05:05 -0400
List: full-disclosure Subject: Re: [Full-disclosure] NUL Character Evasion From: fd () ew ! nsci ! us Date: 2005-09-15 19:57:30On Thu, 15 Sep 2005, Williams, James K wrote: List: full-disclosure Subject: [Full-disclosure] NUL Character Evasion From: ju () heisec ! de Date: 2005-09-13 21:24:42Thank you for the report. Computer Associates is currently investigating the issue (as it relates to CA products). Regards, kwKen, How long until this update hits your product? -Eric -- Eric Wheeler
As initially suspected, from the AV signature perspective, this is not a critical issue until and unless something specific shows up in the wild or is reported to a vendor. The NUL char insertion concept is similar in theory to, for example, K2's classic ADMmutate[1] polymorphic shellcode engine for NIDS evasion, or simply adding NOPs to an executable. Alex and Neel[2] discussed this class of AV vulns at core05 and Blackhat. Regards, kw [1] http://www.ktwo.ca/security.html [2] http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-wheeler.pdf _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- NUL Character Evasion ju (Sep 14)
- Re: NUL Character Evasion Steffen Kluge (Sep 15)
- Re[2]: NUL Character Evasion 3APA3A (Sep 16)
- <Possible follow-ups>
- Re: NUL Character Evasion Williams, James K (Sep 14)
- Re: NUL Character Evasion fd (Sep 15)
- Re: NUL Character Evasion Williams, James K (Sep 16)
- Re: NUL Character Evasion Steffen Kluge (Sep 15)