|
Full Disclosure
mailing list archives
Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning
From: "Michael J. Pomraning" <mjp-bugtraq () securepipe com>
Date: Tue, 15 Mar 2005 13:51:55 -0600 (CST)
On Mon, 14 Mar 2005, Dr. Peter Bieringer wrote:
during investigation of Sober.l we got the idea to replace the spaces of a
filename contained in the ZIP archive by some escape sequences.
[...]
Also we found that at least 2 AV scan programs from 2 vendors do not detect
the virus inside and report "clean" instead.
I think Sophos passes the test. I find that the underlying API (as exposed
by a python wrapper) is able to detect the viruses in all cases. For the
command line "sweep" utility, try adding the "-all" switch to your
invocation:
$ /usr/local/bin/sweep -ss -archive -all unfiltered-escape-sequences-in-filename-eicar.zip
>>> Virus 'EICAR-AV-Test' found in file
unfiltered-escape-sequences-in-filename-eicar.zip/Test_[2J_[2;5m_[1;31mHACKER
ATTACK_[2;25m_[22;30m_[3q.txt/eicar_com.zip/eicar.com
$ md5sum unfiltered-escape-sequences-in-filename-eicar.zip
38363004047dc11b206305bd3660d68f unfiltered-escape-sequences-in-filename-eicar.zip
This is using engine 2.28.4, as in your tests. The consituent filenames are
escaped before being displayed, too (sadly excepting ASCII BEL).
Regards,
Mike
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
 By Date 
By Thread
Current thread:
|
Intro
