Full Disclosure mailing list archives
Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning
From: "Dr. Peter Bieringer" <pbieringer () aerasec de>
Date: Wed, 16 Mar 2005 10:48:45 +0100
--On Dienstag, 15. März 2005 13:51 -0600 "Michael J. Pomraning" <mjp-bugtraq () securepipe com> wrote:
$ /usr/local/bin/sweep -ss -archive -all unfiltered-escape-sequences-in-filename-eicar.zip >>> Virus 'EICAR-AV-Test' found in file unfiltered-escape-sequences-in-filename-eicar.zip/Test_[2J_[2;5m_[1;31mHA CKER ATTACK_[2;25m_[22;30m_[3q.txt/eicar_com.zip/eicar.com $ md5sum unfiltered-escape-sequences-in-filename-eicar.zip 38363004047dc11b206305bd3660d68f unfiltered-escape-sequences-in-filename-eicar.zip This is using engine 2.28.4, as in your tests. The consituent filenames are escaped before being displayed, too (sadly excepting ASCII BEL).
Also not ASCII BS, we've created an additional ZIP file for testing: Available here: <ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/mixed2-eicar.zip> $ unzip -l mixed2-eicar.zip Archive: mixed2-eicar.zip Length Date Time Name -------- ---- ---- ---- 308 03-10-05 12:00 eicarcom2.zip^H^H^Htxt 308 03-10-05 12:00 eicarcom2.zip -------- ------- 616 $ /usr/local/bin/sweep -sc -nc -ss -archive -all mixed2-eicar.zip
Virus 'EICAR-AV-Test' found in file mixed2-eicar.zip/eicarcom2.txt/eicar_com.zip/eicar.com Virus 'EICAR-AV-Test' found in file mixed2-eicar.zip/eicarcom2.zip/eicar_com.zip/eicar.com
Note the difference: eicarcom2.txt <-> eicarcom2.zip Regards, Peter -- Dr. Peter Bieringer Phone: +49-8102-895190 AERAsec Network Services and Security GmbH Fax: +49-8102-895199 Wagenberger Strasse 1 Mobile: +49-174-9015046 D-85662 Hohenbrunn E-Mail: pbieringer () aerasec de Germany Internet: http://www.aerasec.de _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 14)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Michael J. Pomraning (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Thierry Zoller (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Thierry Zoller (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 16)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Michael J. Pomraning (Mar 15)