On Wed, 17 Mar 2004, 21:16 GMT-08 John D. Hardin wrote:
Apparently there's a way to obfuscate filenames in ZIP files. I need
to look into it in some more detail, but the symptom is the ZIP index
(unzip -l and unzip -v) reports a different filename than is actually
decrypted.
could you please post the output of such an example zip file? Like
[root(_at_)ns EZIP]# unzip -l
20040315_uysmlujbrcjwpcpgdhp(_at_)anet(_dot_)at_TextFile(_dot_)zip
Archive: 20040315_uysmlujbrcjwpcpgdhp(_at_)anet(_dot_)at_TextFile(_dot_)zip
Length Date Time Name
-------- ---- ---- ----
12288 03-15-04 07:24 brbnoe.exe
-------- -------
12288 1 file
[root(_at_)ns EZIP]# unzip -v
20040315_uysmlujbrcjwpcpgdhp(_at_)anet(_dot_)at_TextFile(_dot_)zip
Archive: 20040315_uysmlujbrcjwpcpgdhp(_at_)anet(_dot_)at_TextFile(_dot_)zip
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
12288 Stored 12288 0% 03-15-04 07:24 5142e29f brbnoe.exe
-------- ------- --- -------
12288 12288 0% 1 file
[root(_at_)ns EZIP]# unzip -t
20040315_uysmlujbrcjwpcpgdhp(_at_)anet(_dot_)at_TextFile(_dot_)zip
Archive: 20040315_uysmlujbrcjwpcpgdhp(_at_)anet(_dot_)at_TextFile(_dot_)zip
[20040315_uysmlujbrcjwpcpgdhp(_at_)anet(_dot_)at_TextFile(_dot_)zip] brbnoe.exe
password:
and where the differences you have mentioned are?
I've added a "decryption" scan to the development sanitizer. Note that
this DOES NOT actually decrypt the ZIP file; running "unzip -t" on it
with a bogus password is apparently sufficient to reveal the
obfuscated filename.
You need to have a version of unzip that supports the -P (password)
argument. I recommend unzip 5.50 as this also has security bugfixes.
Workaround: for the worm I've seen, add "*.ePK" to your zipfile poison
list. This may not work on variants. "*.?PK" may be better, at the
risk of more false positives.
What is your purpose to even use 'unzip -t'?
rob.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail