[14409] in bugtraq
Re: Esafe Protect Gateway (CVP) does not scan virus under some
daemon@ATHENA.MIT.EDU (Jason Brvenik)
Fri Mar 24 16:07:29 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <38DB8B35.12A88CC1@usdoj.gov>
Date: Fri, 24 Mar 2000 10:35:17 -0500
Reply-To: Jason Brvenik <jason.brvenik@USDOJ.GOV>
From: Jason Brvenik <jason.brvenik@USDOJ.GOV>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Just to add a little here to remind how easy it is to do simple trickery.
"Hugo.van.der.Kooij@CAIW.NL" wrote:
[snip]
>
>
> The overal message you are sending is that we should be confident that
> any
> file passed through uninspected can't be harmfull in any way. However my
> customers don't agree and find this unacceptable and so do I.
A traditionally safe file would be a .pdf or .movie, remember that NT will
execute any executable regardless of the extension if it is invoked through
the start command.
Simple situation,
I provide a supposed link to a .movie file which is actually an executable
with an embedded .avi (could be any nonstandard non executable file type
.movie just works well) for download. The web server presents this as
video/x-sgi-movie for the mime type. The user saves it to disk and follows
the brief instruction for playing it by doing a start/run "start [download
path]\test.movie" the trojaned file looks like a movie playing and exits but
has delivered it's payload in the interim.
Demo:
copy notepad.exe to %TEMP%\test.movie
do a start/run
type in "start [tmpdir]\test.movie"
you now have notepad up on the screen.
>
>
> The purpose of the BugTraq mailinglist is to inform people of known
> problems and if possible to solutions or at least of workarounds.
> Unfortunatly there is no usable workaround.
>
> My customers don't just expect that they will not be harmed by a virus
> but
> that a maximum effort is done to prevent any harmfull activities. At
> present ESP does not live up to that expectation because someone made a
> choice that they find an unacceptable security breach.
>
> Hugo.
>
> --
> Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland
> hvdkooij@caiw.nl http://home.kabelfoon.nl/~hvdkooij/
> --------------------------------------------------------------
> Use of any of my email addresses for unsollicited (commercial)
> email is a clear intrusion of my privacy and illegal!
