Mailing List Archive: Possible bypass via gz?

Possible bypass via gz?

Feb 16, 2014, 4:29 PM

Post #1 of 4 (1818 views)

Hi,

Not sure if this person is using an old version of ClamAV and I haven't
attempted this, but he alleges he has found a way to bypass gzip'ed
tarballs by modifying a specific byte within the headers.

http://www.exploit-db.com/wp-content/themes/exploit/docs/31685.pdf

Hope this is the correct place to report this.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: Possible bypass via gz? [ In reply to ]

molney at sourcefire

Feb 17, 2014, 6:12 AM

Post #2 of 4 (1757 views)

Permalink

Thanks, Bradon. We'll review this.

On Sun, Feb 16, 2014 at 7:29 PM, Brandon Perry <bperry.volatile@gmail.com>wrote:

> Hi,
>
> Not sure if this person is using an old version of ClamAV and I haven't
> attempted this, but he alleges he has found a way to bypass gzip'ed
> tarballs by modifying a specific byte within the headers.
>
>
> http://www.exploit-db.com/wp-content/themes/exploit/docs/31685.pdf
>
> Hope this is the correct place to report this.
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: Possible bypass via gz? [ In reply to ]

bperry.volatile at gmail

Feb 22, 2014, 1:46 PM

Post #3 of 4 (1757 views)

Permalink

Hey guys,

Is this going to need a CVE? I can forward the info onto oss-sec list
and get a CVE assigned.

On 02/17/2014 08:12 AM, Matt Olney wrote:
> Thanks, Bradon. We'll review this.
>
>
> On Sun, Feb 16, 2014 at 7:29 PM, Brandon Perry <bperry.volatile@gmail.com>wrote:
>
>> Hi,
>>
>> Not sure if this person is using an old version of ClamAV and I haven't
>> attempted this, but he alleges he has found a way to bypass gzip'ed
>> tarballs by modifying a specific byte within the headers.
>>
>>
>> http://www.exploit-db.com/wp-content/themes/exploit/docs/31685.pdf
>>
>> Hope this is the correct place to report this.
>> _______________________________________________
>> http://lurker.clamav.net/list/clamav-devel.html
>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>>
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: Possible bypass via gz? [ In reply to ]

molney at sourcefire

Feb 22, 2014, 4:08 PM

Post #4 of 4 (1761 views)

Permalink

Nope. This isn't a vulnerability, just a false negative.

On Sat, Feb 22, 2014 at 4:46 PM, Brandon Perry <bperry.volatile@gmail.com>wrote:

> Hey guys,
>
> Is this going to need a CVE? I can forward the info onto oss-sec list
> and get a CVE assigned.
>
>
> On 02/17/2014 08:12 AM, Matt Olney wrote:
> > Thanks, Bradon. We'll review this.
> >
> >
> > On Sun, Feb 16, 2014 at 7:29 PM, Brandon Perry <
> bperry.volatile@gmail.com>wrote:
> >
> >> Hi,
> >>
> >> Not sure if this person is using an old version of ClamAV and I haven't
> >> attempted this, but he alleges he has found a way to bypass gzip'ed
> >> tarballs by modifying a specific byte within the headers.
> >>
> >>
> >> http://www.exploit-db.com/wp-content/themes/exploit/docs/31685.pdf
> >>
> >> Hope this is the correct place to report this.
> >> _______________________________________________
> >> http://lurker.clamav.net/list/clamav-devel.html
> >> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >>
> > _______________________________________________
> > http://lurker.clamav.net/list/clamav-devel.html
> > Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net