[Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability.
From: bipin gautam (visitbipin_at_yahoo.com)
Date: 03/11/05
- Previous message: Paul Schmehl: "Re: [Full-disclosure] US pres election was hacked away by Dumbya&cabal. (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Mar 2005 07:55:28 -0800 (PST) To: full-disclosure@lists.grok.org.uk
In Local file header if you modify "general purpose
bit flag" 7th & 8'th byte of a zip archive with \x2f
ie: "\" F-port, Kaspersky, Mcafee, Norman, Sybari,
Symantec seem to skip the file marking it as clean!!!
This was discoverd during the analysis of "Multiple AV
Vendor Incorrect CRC32 Bypass Vulnerability."
Quick/rough conclusion were drawn using
www.virustotal.com
poc: http://www.geocities.com/visitbipin/gpbf.zip
regards,
bipin gautam
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
- Previous message: Paul Schmehl: "Re: [Full-disclosure] US pres election was hacked away by Dumbya&cabal. (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
