Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

More Interscan Viruswall stuff

From: johnlampe () HOTMAIL COM (john lampe)
Date: Tue, 18 Jan 2000 06:17:18 PST

It was posted, Dec 27th, that Interscan Viruswall would allow virus-infected
attachements to pass when an additional "=" was appended to end of Base64
message.  Along a similar vein numbers 1 through 3 below will also allow
virus-infected attachements to pass right
by Interscan Viruswall.
1) adding a "-" to the end of base64 message
2)changing content-type application type in the header Example,
   Content-type: Application/FOO;
   name="whatever.doc"
3) Adding an extra "-" at end of base64 boundary

3 methods above were tested and verified on NT running the latest engine
from Trend Micro, along with the latest patch.  At least one of the methods
above (Number 1) was tested and verified on a Solaris box by Kris Herrin
(the original poster).  3 methods above were chosen *at random* from RFC
2045.  Vendor was notified.  Patch was promised by Wed. of last week.  Trend
Micro patches can be found at
http://www.antivirus.com/download/patches/default.htm . RFC 2045 can be
found at http://www.ietf.org/rfc/rfc2045.txt

John Lampe

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
Previous By Date Next
Previous By Thread Next

Current thread: