Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Re: Av issues
From: "Sean Crawford" <sean01 () accnet com au>
Date: Thu, 17 Mar 2005 02:47:48 +1100

--->In reply to what bipin gautam wrote..

I'm starting to think the only problem is you bipin....

Run you 'disclosure' through http://virusscan.jotti.org/ as already stated
before and repost your findings bipin.
It's not as bad as you wish mate.
Sean
   :-|


--->bipin gautam wrote..
---> Sent: Thursday, 17 March 2005 2:01 AM
---> To: full-disclosure () lists grok org uk
---> Cc: vuln () secunia com; bugtraq () securityfocus com
---> Subject: [Full-disclosure] Re: Av issues
--->
--->
---> There have been lot of noise and confusion regarding
---> all the issues reported lately... So, let me sum them
---> up.
---> _______________________________________________________________
---> ____________________
---> Multiple Vendor Antivirus Products Malformed ZIP
---> Attachment Scan Evasion Vulnerability
--->
---> Affected Product:
---> mks_vir
---> BitDefender 7.0
---> AntiVir
---> DrWeb 4.32b
---> eTrust-Iris 7.1.194.0
---> Fortinet 2.51
---> eTrust-Vet 11.7.0.0
---> McAfee 4445
---> Norman 5.70.10
---> Sybari 7.5.1314
---> Symantec 8.0
---> F-Prot 3.16a
---> Kaspersky
---> McAfee 4445
---> ( Updated March 16, 2005 6:00 GMT )
--->  Migration:
---> For the time being, set filter rules in your AV/email
---> gateway to filter out archive embedded with
---> executables (exe, com, pif, scr, cpl  etc)  Block all
---> type of broken archive and archive with passwds in it.
--->
---> Description:
---> 1). If you create a zip archive with invalid CRC
---> checksum...... some AV skip the archive marking it as
---> clean........ by this way, you can bypass antivirus
---> gateways and slip in any attachment without scanning
---> the archive. Moreover, these days.... software tools
---> automatically repair a *broken* archive.
---> POC http://www.geocities.com/visitbipin/crc.zip
---> 2). In Local file header if you modify "general
---> purpose bit flag" 7th & 8'th byte of a zip archive
---> with \x2f ie: "\"  some AV skip the file marking it as
---> clean, because the AV come to a false assumption that
---> zip file is encrypted. This was discovered during the
---> analysis of "Multiple AV Vendor Incorrect CRC32 Bypass
---> Vulnerability."
--->
---> poc: http://www.geocities.com/visitbipin/gpbf.zip
--->
---> 3). If you have a long archive comment... in a zip
---> archive these AV can't detect virus embedded in it. I
---> came to know Symantec 8.1 is immune to the bug?
---> POC:
---> http://www.geocities.com/visitbipin/long_coment.zip
--->
---> 4). In the 'local file header" & "data descriptor" if
---> you change the compressed size and uncompressed size
---> to greater than the actual file size there are many AV
---> that can't scan the file properly.
--->
---> P0C: http://www.geocities.com/visitbipin/Antigen.zip
---> <--- try
--->
---> Moreover there are unzip utilities that goes to a loop
---> if the file size is changed to ffffffff ! Lets hope,
---> less popular AV/Trojan scanner out there don't have
---> such faulty code!
---> Unzip utilities will successfully extract such archive
---> with some garbage data \x00 at the end "255 bytes.
---> (FORGE the crc right, first) The garbage data doesn't
---> *that matter because any malicious code can execute
---> without any problem with the garbage at its end. This
---> will successfully bypass AV detection even for a known
---> malicious code, "MOST OF THE TIME" if the AV detects
---> the "SOME" executable comparing total its checksum
---> instead of analyzing a particular chunk of code in the
---> code's body. I think its true for some of those old
---> little (few bytes) viruses. But, modern AV engines in
---> most cases don't depend on such primitive technique to
---> detect a virus so it shouldn't be a "that" big issue.
---> 5). Another 5'th issues... and I'm feeling lazy to
---> type/describe it now. have a look at,
---> http://www.securityfocus.com/archive/1/393291
---> Be noted,
---> http://www.geocities.com/visitbipin/test_nav.zip
---> ...contains a self extracting archive that will
---> extract the POC named
---> *.eicar.zip It is better to extract the it from the
---> exe archive as there are some AV out there that can't
---> even scan a infected file embedded in a self
---> extracting zip archive! (O;
--->
--->
---> Name of vulnerable products were gathered from
---> feedbacks of the Full-disclosure Mailing list and some
---> private discussion with others and is believed to be
---> true.  You can run the file through
--->  www.virustotal.com , or http://virusscan.jotti.org/
---> or http://sandbox.norman.no/live_4.html and you'll
---> know what I'm talking about . Though I understand,
---> they might be using the CLI engine in most cases (if
---> not all) while there are other functionalities in a
---> full AV package that are not in the CLI-based engine.
---> Thanks, "Pedro Bustamante" for reminding me out.
---> Another interesting link, is
---> http://www.aerasec.de/security/index.html?id=ae-200503-020&lang=en
--->   Dr. Peter Bieringer's advisory.
---> Useful Reference:
---> http://www.pkware.com/company/standards/appnote/
--->
---> regards,
---> Bipin Gautam
---> http://www.geocities.com/visitbipin/
--->
--->
---> Disclaimer: The information in the advisory is
---> believed to be accurate at the time of printing based
---> on currently available information. Use of the
---> information constitutes acceptance for use in an AS IS
---> condition. There are no warranties with regard to this
---> information. Neither the author nor the publisher
---> accepts any liability for any direct, indirect or
---> consequential loss or damage arising from use of, or
---> reliance on this information.
--->
--->
--->
--->
---> __________________________________
---> Do you Yahoo!?
---> Yahoo! Small Business - Try our new resources site!
---> http://smallbusiness.yahoo.com/resources/
---> _______________________________________________
---> Full-Disclosure - We believe in it.
---> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
---> Hosted and sponsored by Secunia - http://www.secunia.com/
--->
--->
---> ________ Information from NOD32 ________
---> This message was checked by NOD32 Antivirus System for Linux
---> Mail Server.
--->   part000.txt - is OK
---> http://www.nod32.com
--->
---> __________ NOD32 1.1027 (20050316) Information __________
--->
---> This message was checked by NOD32 antivirus system.
---> http://www.nod32.com
--->
--->

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault