[Esd-l] Re: [Esa-l] Warning: some .ZIP attacks not being trapped

John D. Hardin jhardin at impsec.org
Mon Jul 26 22:28:30 PDT 2004


On Mon, 26 Jul 2004, John D. Hardin wrote:

> > A couple of zipped worms just dropped into my mailbox. The base64
> > encoding looks really odd, and may be explicitly crafted to bypass
> > scanners, as it appears to exploit a weakness in the CPAN MIME::Base64
> > module *and* the mimencode program. I am investigating.
> 
> I think I understand what's happening. I have a temporary
> workaround in the devel code (1.144pre6) that requires you use the
> CPAN base64 module.
> 
> I will try to make it more elegant and try to make it work with
> mimencode as well.

Well, I made it work with mimencode too, but it's still not elegant.

The attack is either well thought out, or sloppy coding. The
attachment's base64 encoding has lines of varying length as well as
embedded blank lines. The 1.144pre6 devel sanitizer detects
excessively short lines and poisons the message rather than crashing.
It needs refinement.

I'm testing here. Volunteer testers solicited. Let me know of false
positives.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The [assault weapons] ban is the moral equivalent of banning red
  cars because they look too fast.
                                   -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
   49 days until the "Scary-Looking Guns" ban expires


More information about the esd-l mailing list