<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning



On Tue, 15 Mar 2005 at 22:07:06 -0300, Rodrigo Barbosa wrote:
> On Tue, Mar 15, 2005 at 09:06:05PM +0000, Nigel Horne wrote:
> > > > # unzip -l mixed-eicar.zip
> > > > Archive:  mixed-eicar.zip
> > > >  Length     Date   Time    Name
> > > > --------    ----   ----    ----
> > > >      308  03-10-05 12:00   Test^G^[[2J^[[2;5m^[[1;31mHACKER
> > > > ATTACK^[[2;25m^[[22;30m^[[3q.txt
> > > >      308  03-10-05 12:00   eicarcom2.zip
> > > > --------                   -------
> > > >      616                   2 files
> > > 
> > > F-Prot seems to detect it correctly:
> > 
> > As does clamAV:
> > [njh@njh tmp]$ clamscan mixed-eicar.zip
> > mixed-eicar.zip: Eicar-Test-Signature FOUND
> > 
> > Scanned files: 1
> > Infected files: 1
> 
> Actually, no. There were 2 infected files in there. ClamAV only found 1.
> 
> - -- 
> Rodrigo Barbosa <rodrigob@xxxxxxxxxxxxxxx>

It's a feature. It's documented, e.g.:
http://www.clamav.net/doc/latest/html/node28.html

  "In case of archives the scanner depends on libclamav
   and only prints the first virus found within an archive".

Scanning the rest of files in the archive when it's already known that
it contains at least one infected file is usually just waste of
resources. Of course it's possible to force clamscan to do it, but it's
not a default way. See the URL above.

Also, the number shown in "Scanned files:" means the number of files
scanned directly (in this example: the archive itself), not the number
of files present inside the archive. 

As a proof that ClamAV successfully detects the Eicar signature in
zipped file with escape sequences in the filename, you can delete the
eicarcom2.zip from the archive and scan the archive again:

$ unzip -l mixed-eicar.zip
Archive:  mixed-eicar.zip
  Length     Date   Time    Name
 --------    ----   ----    ----
      308  03-10-05 12:00   Test^G^[[2J^[[2;5m^[[1;31mHACKER
ATTACK^[[2;25m^[[22;30m^[[3q.txt
 --------                   -------
      308                   1 file

$ clamscan mixed-eicar.zip
mixed-eicar.zip: Eicar-Test-Signature FOUND

P.S.
I'm not subscribed to full-disclosure, so please Cc: me in case the
thread continues on full-disclosure.

-- 
 Tomasz Papszun    SysAdm @ TP S.A. Lodz, Poland    | And it's only
 tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
 tomek at clamav.net   http://www.ClamAV.net/   A GPL virus scanner