Bugtraq: Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning

From: Rodrigo Barbosa <rodrigob () suespammers org>
Date: Tue, 15 Mar 2005 14:29:16 -0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Mar 15, 2005 at 05:45:58PM +0100, Dr. Peter Bieringer wrote:

I STIL FIND IT happy to
see there are lot of AV out there that cant scan such
file properly to detect virus.


The problem must be located in the unzip engine:

We've created a mixed ZIP now:

# unzip -l mixed-eicar.zip
Archive:  mixed-eicar.zip
 Length     Date   Time    Name
--------    ----   ----    ----
     308  03-10-05 12:00   Test^G^[[2J^[[2;5m^[[1;31mHACKER 
ATTACK^[[2;25m^[[22;30m^[[3q.txt
     308  03-10-05 12:00   eicarcom2.zip
--------                   -------
     616                   2 files


BTW: note here that "unzip" displays the escape sequences very proper!

Available here:
<ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/mixed-eicar.zip>

Some AV software detect the virus only in second part of the ZIP file, so 
it looks like the first one is really skipped and not analysed.


F-Prot seems to detect it correctly:

VIRUS SIGNATURE FILES
SIGN.DEF created 13 March 2005
SIGN2.DEF created 13 March 2005
MACRO.DEF created 11 March 2005

Search: mixed-eicar.zip
Action: Report only
Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED -SERVER

/home/rodrigob/tmp/mixed-eicar.zip->Test^G^[[2J^[[2;5m^[[1;31mHACKER 
ATTACK^[[2;25m^[[22;30m^[[3q.txt->eicar_c->eicar.com  Infection: EICAR_Test_File
/home/rodrigob/tmp/mixed-eicar.zip->eicarcom2.zip->eicar_com.zip->eicar.com  Infection: EICAR_Test_File

Results of virus scanning:

Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 7
Infected: 2
Suspicious: 0
Disinfected: 0
Deleted: 0
Renamed: 0

Time: 0:00

- -- 
Rodrigo Barbosa <rodrigob () suespammers org>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCNxtspdyWzQ5b5ckRApEcAKCHZTlzib/lH7LUjpL/FqEOtSsyegCfbW1a
BSjnssdy4iIBXZyEcv/JF1Q=
=M4rV
-----END PGP SIGNATURE-----

By Date By Thread

Current thread:

Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 15)
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Rodrigo Barbosa (Mar 15)
  - Message not available
    - Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Rodrigo Barbosa (Mar 16)
    - Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Tomasz Papszun (Mar 17)
- <Possible follow-ups>
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning bipin gautam (Mar 15)