Bugtraq mailing list archives
Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning
From: bipin gautam <visitbipin () yahoo com>
Date: Tue, 15 Mar 2005 08:43:24 -0800 (PST)
Dr. Peter, My rants regarding similar issue dates back, Mar 05, 2004. There was some other issues in NAV product that i tried contacting SYMANTEC in 2003 (i guess). Symantec, discarded this issue. http://www.securityfocus.com/archive/1/357065 So did they to latest advisory!!! http://www.geocities.com/visitbipin/nav_bugs.html http://www.securityfocus.com/bid/9811 http://www.geocities.com/visitbipin/test_nav.zip the exe file in there will create the POC. In there you will find a file name called, "eicar_com ♫ .☺☻♥♦♣♠◘ ↔▲§ .com .zip" I STIL FIND IT strange to see there are "lot of AV" out there that cant scan such file properly to detect virus. I tested mine OLD POC with NAV 2004 professional edition. And, found ANV 2004 is still vulnerable!!!!! not only 2002 late back then. Such issue discourage you away from responsible disclosure/vendor notification etc. AND symantec is the 1 and only cause for me, thats pushes me away from responsible disclosure. INDEED since then IT has been always FUN TO KICK THEIR BALLS AND POKE THEIR BABY, time and again...... i guess, companies should know learn how to treat ppl. who write to them. For this, i've always admired Microsoft. (O; (no flames) -bipin --- bipin gautam <visitbipin () yahoo com> wrote:
NICE FIND. (O; But hey, That something quite similar to my old advisory :http://www.securityfocus.com/bid/9811/discussion/ Norton AntiVirus 2002 ASCII Control Character Denial Of Service Vulnerability Norton AntiVirus 2002 has been reported to crash when performing manual scans on files contained in certain folders. This is related to how the software handles ASCII control characters (represented by decimal values in the range of 1-31). Although unconfirmed this issue may allow a malicious file to go un-scanned, and so lead a user into a false sense of security. -bipin
--- "Dr. Peter Bieringer" <pbieringer () aerasec de> wrote:
Hello, during investigation of Sober.l we got the idea to replace the spaces of a filename contained in the ZIP archive by some escape sequences. Many AV software is logging such filenames during decompressing, so after creating such regular ZIP archive (by using Perl Archive::Zip module, no other tweaks!) we've found that some of the tested products do not filter or replace the escape sequences, which leads to funny results during displaying the output of the AV scanner or viewing the log. Also we found that at least 2 AV scan programs from 2 vendors do not detect the virus inside and report "clean" instead. See here for more details:
<ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/unfiltered-escape-sequences.txt>
<http://www.aerasec.de/security/index.html?id=ae-200503-020&lang=en>
We provide also samples and the Perl program for creating the samples:
<ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/>
Due lack of time we only tested a few products, so if one can provide results of other products, pls. send them (also) to us. Thank you! Regards, Dr. Peter Bieringer --
__________________________________ Do you Yahoo!? Make Yahoo! your home page http://www.yahoo.com/r/hs
Current thread:
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 15)
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Rodrigo Barbosa (Mar 15)
- Message not available
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Rodrigo Barbosa (Mar 16)
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Tomasz Papszun (Mar 17)
- Message not available
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Rodrigo Barbosa (Mar 15)
- <Possible follow-ups>
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning bipin gautam (Mar 15)