<<< Date Index >>>     <<< Thread Index >>>

[TZO-05-2009] Clamav 0.94 and below - Evasion /bypass



______________________________________________________________________

  From the low-hanging-fruit-department - Generic ClamAV evasion 
______________________________________________________________________

Release mode: Coordinated but limited disclosure.
Ref         : TZO-062009- ClamAV Evasion
WWW         : 
http://blog.zoller.lu/2009/04/clamav-094-and-below-evasion-and-bypass.html
Vendor      : http://www.clamav.net &
              http://www.sourcefire.com/products/clamav
Security notification reaction rating : Good.
Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
- ClamAV below 0.95
  Includes MACOSX server,IBM Secure E-mail Express Solution for System
  and a lots of mail appliances.
  http://www.clamav.net/about/who-use-clamav/

About this advisory
-------------------
I used to not report bugs publicly where a a vendor - has not reacted 
to my notifications - silently patched. I also did not publish
low hanging fruits as they make you look silly in the eyes of your
peers.

Over the past years I had the chance to audit and test a lot of critical 
infrastructures that, amongst other things relied on security products 
(and on security notifications from vendors) and have witnessed various 
ways of setting up your defenses that make some bugs critical that 
you'd consider low at first glance, I came to the conclusion that most
bugs deserve disclosure. 

Please see "Common misconceptions" for more information.

I. Background
~~~~~~~~~~~~~
Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, 
designed especially for e-mail scanning on mail gateways. It provides 
a number of utilities including a flexible and scalable multi-threaded
daemon, a command line scanner and advanced tool for automatic 
database updates. The core of the package is an anti-virus engine 
available in a form of shared library. 

II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by manipulating RAR archive in 
a "certain way" that the Clamav engine cannot extract the content but
the end user is able to. Details are currently witheld (thanks to IBM).

III. Impact
~~~~~~~~~~~
The bug results in denying the engine the possibility to inspect
code within the RAR archive. While the impact might be low client-
side (as code is inspected upon extraction by the user) the impact
for gateways or AV infrastructure where the archive is not extracted 
is considerable. There is no inspection of the content at all, prior 
disclosure therefore referred to this class of bugs as Denial of service 
(you deny the service of the scan engine for that file) however I 
choose to stick the terms of evasion/bypass, being the primary impact 
of these types of bugs.

PS. I am aware that there are hundreds of ways to bypass, that however
doesn't make it less of a problem. I am waiting for the day where the 
first worm uses these techniques to stay undetected over a longer 
period of time, as depending on the evasion a kernel update (engine 
update) is necessary and sig updates do not suffice. Resulting in 
longer window of exposure - at least for GW solutions. *Must make 
confiker reference here*


IV. Common misconceptions about this "bug class"
--------------------------------------------------
- This has the same effect as adding a password to a ZIP file

The scanner denotes files that are passworded, an example is an E-mail
GW scanner that adds "Attachment not scanned" to the subject line or
otherwise indicates that the file was not scanned. This is not the case
with bypasses, in most cases the engine has not inspected the content
at all or has inspected it in a different way.
Additionally passworded archive files are easily filterable by a content
policy, allowing or denying them.

- This is only an issue with gateway products

Every environment where the archive is not actively extracted by 
the end-user is affected. For example, fileservers, databases
etc. pp. Over the years I saw the strangest environments that 
were affected by this type of "bug". My position is that customers
deserve better security than this.

- Behavioral analysis will catch this ?
No, the content is unreadable to the AV engine as such no inspection
whatsoever is possible.

- Evasions are the Cross Site scripting of File formats bugs
Yes.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~

IBM was sent two POC files, an explanation and the disclosure terms 
(http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html)

09/03/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date (23/03/2009)
                         
13/03/2009 : Clamav responds that the bug is reproducible and will be
             fixed in 0.95 to be released the 23/03/2009
             
             (IBM take note, it's that easy.)

23/05/2009 : Asked clamav if the release was made and if credit was 
             given

23/05/2009 : Clamav responds that the release was made, and that the
             credit was given in the changelog. (Tzo note: A post will 
             be probably be made at http://www.clamav.net/category/security/
                                 
02/01/2009 : Release of this limited detail advisory

Final comments :
I would like to thank Tomasz Kojm (clamav) for the professional 
reaction and AV-Test GMBH for their support.