Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Esafe Protect Gateway (CVP) does not scan virus under some
From: jason.brvenik () USDOJ GOV (Jason Brvenik)
Date: Fri, 24 Mar 2000 10:35:17 -0500

Just to add a little here to remind how easy it is to do simple trickery.

"Hugo.van.der.Kooij () CAIW NL" wrote:


The overal message you are sending is that we should be confident that
file passed through uninspected can't be harmfull in any way. However my
customers don't agree and find this unacceptable and so do I.

A traditionally safe file would be a .pdf or .movie, remember that NT will
execute any executable regardless of the extension if it is invoked through
the start command.

Simple situation,
I provide a supposed link to a .movie file which is actually an executable
with an embedded .avi (could be any nonstandard non executable file type
.movie just works well) for download. The web server presents this as
video/x-sgi-movie for the mime type. The user saves it to disk and follows
the brief instruction for playing it by doing a start/run "start [download
path]\test.movie" the trojaned file looks like a movie playing and exits but
has delivered it's payload in the interim.

copy notepad.exe to %TEMP%\test.movie
do a start/run
type in "start [tmpdir]\test.movie"
you now have notepad up on the screen.

The purpose of the BugTraq mailinglist is to inform people of known
problems and if possible to solutions or at least of workarounds.
Unfortunatly there is no usable workaround.

My customers don't just expect that they will not be harmed by a virus
that a maximum effort is done to prevent any harmfull activities. At
present ESP does not live up to that expectation because someone made a
choice that they find an unacceptable security breach.


Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij () caiw nl        http://home.kabelfoon.nl/~hvdkooij/
Use of any of my email addresses for unsollicited (commercial)
    email is a clear intrusion of my privacy and illegal!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]