[Esa-l] Warning: some .ZIP attacks not being trapped
John D. Hardin
jhardin at impsec.org
Mon Jul 26 22:28:30 PDT 2004
On Mon, 26 Jul 2004, John D. Hardin wrote:
> > A couple of zipped worms just dropped into my mailbox. The base64
> > encoding looks really odd, and may be explicitly crafted to bypass
> > scanners, as it appears to exploit a weakness in the CPAN MIME::Base64
> > module *and* the mimencode program. I am investigating.
>
> I think I understand what's happening. I have a temporary
> workaround in the devel code (1.144pre6) that requires you use the
> CPAN base64 module.
>
> I will try to make it more elegant and try to make it work with
> mimencode as well.
Well, I made it work with mimencode too, but it's still not elegant.
The attack is either well thought out, or sloppy coding. The
attachment's base64 encoding has lines of varying length as well as
embedded blank lines. The 1.144pre6 devel sanitizer detects
excessively short lines and poisons the message rather than crashing.
It needs refinement.
I'm testing here. Volunteer testers solicited. Let me know of false
positives.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org FALaholic #11174 pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The [assault weapons] ban is the moral equivalent of banning red
cars because they look too fast.
-- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
49 days until the "Scary-Looking Guns" ban expires
More information about the esa-l
mailing list