Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



--On Dienstag, 15. März 2005 08:34 -0800 bipin gautam <visitbipin@xxxxxxxxx> wrote:

I STIL FIND IT happy to
see there are lot of AV out there that cant scan such
file properly to detect virus.


The problem must be located in the unzip engine:

We've created a mixed ZIP now:

# unzip -l mixed-eicar.zip
Archive: mixed-eicar.zip
Length Date Time Name
-------- ---- ---- ----
308 03-10-05 12:00 Test^G^[[2J^[[2;5m^[[1;31mHACKER ATTACK^[[2;25m^[[22;30m^[[3q.txt
308 03-10-05 12:00 eicarcom2.zip
-------- -------
616 2 files


BTW: note here that "unzip" displays the escape sequences very proper!

Available here:
<ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/mixed-eicar.zip>

Some AV software detect the virus only in second part of the ZIP file, so it looks like the first one is really skipped and not analysed.

	Peter
--
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Strasse 1                          Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer@xxxxxxxxxx
Germany                                Internet: http://www.aerasec.de


[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux