Bugtraq mailing list archives
Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning
From: Rodrigo Barbosa <rodrigob () suespammers org>
Date: Tue, 15 Mar 2005 14:29:16 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Mar 15, 2005 at 05:45:58PM +0100, Dr. Peter Bieringer wrote:
I STIL FIND IT happy to see there are lot of AV out there that cant scan such file properly to detect virus.The problem must be located in the unzip engine: We've created a mixed ZIP now: # unzip -l mixed-eicar.zip Archive: mixed-eicar.zip Length Date Time Name -------- ---- ---- ---- 308 03-10-05 12:00 Test^G^[[2J^[[2;5m^[[1;31mHACKER ATTACK^[[2;25m^[[22;30m^[[3q.txt 308 03-10-05 12:00 eicarcom2.zip -------- ------- 616 2 files BTW: note here that "unzip" displays the escape sequences very proper! Available here: <ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/mixed-eicar.zip> Some AV software detect the virus only in second part of the ZIP file, so it looks like the first one is really skipped and not analysed.
F-Prot seems to detect it correctly: VIRUS SIGNATURE FILES SIGN.DEF created 13 March 2005 SIGN2.DEF created 13 March 2005 MACRO.DEF created 11 March 2005 Search: mixed-eicar.zip Action: Report only Files: "Dumb" scan of all files Switches: -ARCHIVE -PACKED -SERVER /home/rodrigob/tmp/mixed-eicar.zip->Test^G^[[2J^[[2;5m^[[1;31mHACKER ATTACK^[[2;25m^[[22;30m^[[3q.txt->eicar_c->eicar.com Infection: EICAR_Test_File /home/rodrigob/tmp/mixed-eicar.zip->eicarcom2.zip->eicar_com.zip->eicar.com Infection: EICAR_Test_File Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 7 Infected: 2 Suspicious: 0 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:00 - -- Rodrigo Barbosa <rodrigob () suespammers org> "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCNxtspdyWzQ5b5ckRApEcAKCHZTlzib/lH7LUjpL/FqEOtSsyegCfbW1a BSjnssdy4iIBXZyEcv/JF1Q= =M4rV -----END PGP SIGNATURE-----
Current thread:
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 15)
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Rodrigo Barbosa (Mar 15)
- Message not available
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Rodrigo Barbosa (Mar 16)
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Tomasz Papszun (Mar 17)
- Message not available
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Rodrigo Barbosa (Mar 15)
- <Possible follow-ups>
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning bipin gautam (Mar 15)