[13409] in bugtraq

home help back first fref pref prev next nref lref last post

More Interscan Viruswall stuff

daemon@ATHENA.MIT.EDU (john lampe)
Tue Jan 18 13:04:09 2000

Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-Id:  <20000118141720.41459.qmail@hotmail.com>
Date:         Tue, 18 Jan 2000 06:17:18 PST
Reply-To: john lampe <johnlampe@HOTMAIL.COM>
From: john lampe <johnlampe@HOTMAIL.COM>
X-To:         BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM

It was posted, Dec 27th, that Interscan Viruswall would allow virus-infected
attachements to pass when an additional "=" was appended to end of Base64
message.  Along a similar vein numbers 1 through 3 below will also allow
virus-infected attachements to pass right
by Interscan Viruswall.
1) adding a "-" to the end of base64 message
2)changing content-type application type in the header Example,
   Content-type: Application/FOO;
   name="whatever.doc"
3) Adding an extra "-" at end of base64 boundary

3 methods above were tested and verified on NT running the latest engine
from Trend Micro, along with the latest patch.  At least one of the methods
above (Number 1) was tested and verified on a Solaris box by Kris Herrin
(the original poster).  3 methods above were chosen *at random* from RFC
2045.  Vendor was notified.  Patch was promised by Wed. of last week.  Trend
Micro patches can be found at
http://www.antivirus.com/download/patches/default.htm . RFC 2045 can be
found at http://www.ietf.org/rfc/rfc2045.txt

John Lampe



______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

home help back first fref pref prev next nref lref last post