Bugtraq mailing list archives
Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning
From: "Dr. Peter Bieringer" <pbieringer () aerasec de>
Date: Tue, 15 Mar 2005 21:24:43 +0100
Hi Michael, --On Tuesday, March 15, 2005 01:51:55 PM -0600 "Michael J. Pomraning" <mjp-bugtraq () securepipe com> wrote:
On Mon, 14 Mar 2005, Dr. Peter Bieringer wrote:during investigation of Sober.l we got the idea to replace the spaces of a filename contained in the ZIP archive by some escape sequences.[...]Also we found that at least 2 AV scan programs from 2 vendors do not detect the virus inside and report "clean" instead.I think Sophos passes the test. I find that the underlying API (as exposed by a python wrapper) is able to detect the viruses in all cases. For the command line "sweep" utility, try adding the "-all" switch to your invocation: $ /usr/local/bin/sweep -ss -archive -all unfiltered-escape-sequences-in-filename-eicar.zip >>> Virus 'EICAR-AV-Test' found in file unfiltered-escape-sequences-in-filename-eicar.zip/Test_[2J_[2;5m_[1;31mHA CKER ATTACK_[2;25m_[22;30m_[3q.txt/eicar_com.zip/eicar.com $ md5sum unfiltered-escape-sequences-in-filename-eicar.zip 38363004047dc11b206305bd3660d68f unfiltered-escape-sequences-in-filename-eicar.zip This is using engine 2.28.4, as in your tests. The consituent filenames are escaped before being displayed, too (sadly excepting ASCII BEL).
Thank you for your investigations, we can confirm this. So using "-all" will solve the problem. I've updated the advisory. Regards, Peter -- Dr. Peter Bieringer Phone: +49-8102-895190 AERAsec Network Services and Security GmbH Fax: +49-8102-895199 Wagenberger Straße 1 Mobile: +49-174-9015046 D-85662 Hohenbrunn E-Mail: pbieringer () aerasec de Germany Internet: http://www.aerasec.de
Current thread:
- Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 14)
- Message not available
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 15)
- Message not available
- <Possible follow-ups>
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Thierry Zoller (Mar 15)