[Esa-l] Warning: some .ZIP attacks not being trapped

John D. Hardin jhardin at impsec.org
Mon Jul 26 21:57:06 PDT 2004


On Mon, 26 Jul 2004, John D. Hardin wrote:

> A couple of zipped worms just dropped into my mailbox. The base64
> encoding looks really odd, and may be explicitly crafted to bypass
> scanners, as it appears to exploit a weakness in the CPAN MIME::Base64
> module *and* the mimencode program. I am investigating.

I think I understand what's happening. I have a temporary workaround
in the devel code (1.144pre6) that requires you use the CPAN base64
module.

I will try to make it more elegant and try to make it work with
mimencode as well.

If you try the devel release, PLEASE let me know if any false
positives are trapped.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The [assault weapons] ban is the moral equivalent of banning red
  cars because they look too fast.
                                   -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
   49 days until the "Scary-Looking Guns" ban expires


More information about the esa-l mailing list