1'st issue: Could anyone verify the existance of both vulnebrility in *Symantec products* cauz it seems like symantec engineers got the *old* broken file that i reported lately and couldn't reproduce the thing. I tried reporting the issue but the message had a broken eicarta string so i think the message wasn't deliverd! I uploaded a wrong file before and the same old file kept on comming from the servers cache. I was able to transperently extract the broken CRC archive using Download accelerator Plus(5.3) with just a warning message.
2'nd issue: NOP, the zip file wasn't "ACTUALLY" encrypted. Nor, anything else in the archive was modified! The archive can be normally be extracted by any unzip utility. I did tested it with winrar 3.2 & with default zip manager of winxp (sp2). 3'rd issue(NEW): Well, tested with F-prot, DrWeb, *Symantec 8.0 long ago... lately verified it using virustotal.com If you have a long archive coment... in a zip archive these AV can't detect virus embedded in it. though a frend of mine reported me symantec 8.1 is immune to the bug. POC: http://www.geocities.com/visitbipin/long_coment.zip --- Randall M <[EMAIL PROTECTED]> wrote: > I scanned the file with McAfee 8.0i and it end up > stating that it couldn't > scan the EICAR.COM file because it was encrypted. > Was this your > Intention? > > ------------------------------ --- Steve Scholz <[EMAIL PROTECTED]> wrote: > You are correct by doing this you are marking the > zip file as encrypted. > > Your option at this time is to turn on the feature > delete encrypted > compressed files. > > Steve Scholz > Corporate Sales Engineer-North America > Sybari Software, Inc. > 631-630-8556 Direct > 516-903-2464 Mobile > > Email: [EMAIL PROTECTED] > > -----Original Message----- > From: [EMAIL PROTECTED] > Subject: [Full-disclosure] Re: Multiple AV Vendor > Incorrect CRC32 > BypassVulnerability. > > In Local file header if you modify "general purpose > bit flag" 7th & 8'th byte of a zip archive with \x2f > ie: "\" F-port, Kaspersky, Mcafee, Norman, Sybari, > Symantec seem to skip the file marking it as > clean!!! > This was discoverd during the analysis of "Multiple > AV > Vendor Incorrect CRC32 Bypass Vulnerability." > > Quick/rough conclusion were drawn using > www.virustotal.com > > poc: http://www.geocities.com/visitbipin/gpbf.zip > > regards, > bipin gautam __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
