Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability.
From: Bipin Gautam <visitbipin@xxxxxxxxxxx>
Date: 10 Mar 2005 11:26:22 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. 

Affected Product:

AntiVir 6.30.0.5 
AVG 718 
Sybari (Antigen for M$ exchange) 7.5.1314
Symantec 8.0
McAfee 4442
BitDefender 7.0 
 

POC: http://www.geocities.com/visitbipin/happy-crc.zip

Description:
if you create a zip archive with invalid CRC checksum...... some AV skip the 
archive marking it as clean........ by this way, you can bypass antivirus 
gateways and slip in any attachment without scanning the archive. Moreover, 
these days.... software tools automatically repair a *broken* archive.

Useful Reference on zip header: http://www.pkware.com/company/standards/appnote/

regards,
Bipin Gautam
http://www.geocities.com/visitbipin/


Disclaimer: The information in the advisory is believed to be accurate at the 
time of printing based on currently available information. Use of the 
information constitutes acceptance for use in an AS IS condition. There are no 
warranties with regard to this information. Neither the author nor the 
publisher accepts any liability for any direct, indirect or consequential loss 
or damage arising from use of, or reliance on this information.

Prev by Date: [Updated][FLSA-2005:2344] Updated php packages fix security issues
Next by Date: XCode 1.5 and distcc 2.x Exploit
Previous by thread: [Updated][FLSA-2005:2344] Updated php packages fix security issues
Next by thread: Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability.
Index(es):
- Date
- Thread