procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ALERT: Another ZIP trick is out... (Sanitizer)

2004-03-18 06:01:50
from [Robert Allerstorfer] [Permanent Link] 
On Wed, 17 Mar 2004, 21:16 GMT-08 John D. Hardin wrote:


Apparently there's a way to obfuscate filenames in ZIP files. I need
to look into it in some more detail, but the symptom is the ZIP index
(unzip -l and unzip -v) reports a different filename than is actually
decrypted.


could you please post the output of such an example zip file? Like

[root(_at_)ns EZIP]# unzip -l 
20040315_uysmlujbrcjwpcpgdhp(_at_)anet(_dot_)at_TextFile(_dot_)zip
Archive:  20040315_uysmlujbrcjwpcpgdhp(_at_)anet(_dot_)at_TextFile(_dot_)zip
  Length     Date   Time    Name
 --------    ----   ----    ----
    12288  03-15-04 07:24   brbnoe.exe
 --------                   -------
    12288                   1 file

[root(_at_)ns EZIP]# unzip -v 
20040315_uysmlujbrcjwpcpgdhp(_at_)anet(_dot_)at_TextFile(_dot_)zip
Archive:  20040315_uysmlujbrcjwpcpgdhp(_at_)anet(_dot_)at_TextFile(_dot_)zip
 Length   Method    Size  Ratio   Date   Time   CRC-32    Name
--------  ------  ------- -----   ----   ----   ------    ----
   12288  Stored    12288   0%  03-15-04 07:24  5142e29f  brbnoe.exe
--------          -------  ---                            -------
   12288            12288   0%                            1 file

[root(_at_)ns EZIP]# unzip -t 
20040315_uysmlujbrcjwpcpgdhp(_at_)anet(_dot_)at_TextFile(_dot_)zip
Archive:  20040315_uysmlujbrcjwpcpgdhp(_at_)anet(_dot_)at_TextFile(_dot_)zip
[20040315_uysmlujbrcjwpcpgdhp(_at_)anet(_dot_)at_TextFile(_dot_)zip] brbnoe.exe 
password: 

and where the differences you have mentioned are?


I've added a "decryption" scan to the development sanitizer. Note that
this DOES NOT actually decrypt the ZIP file; running "unzip -t" on it
with a bogus password is apparently sufficient to reveal the
obfuscated filename.



You need to have a version of unzip that supports the -P (password)
argument. I recommend unzip 5.50 as this also has security bugfixes.



Workaround: for the worm I've seen, add "*.ePK" to your zipfile poison
list. This may not work on variants. "*.?PK" may be better, at the
risk of more false positives.


What is your purpose to even use 'unzip -t'?

rob.


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Can an rc file be bypassed?, Bob George
Next by Date:  Procmail and munpack problem : could not get current directory, Martynas Buozis
Previous by Thread:  ALERT: Another ZIP trick is out... (Sanitizer), John D. Hardin
Next by Thread:  [Announcem.] Softlabs AntiVirus 0.5.5 has been released on SourceForge.net, Robert Allerstorfer
Indexes:  [Date] [Thread] [Top] [All Lists]