<<< Date Index >>>     <<< Thread Index >>>

[TZO-08-2009] Bitdefender generic bypass/evasion



______________________________________________________________________

  From the low-hanging-fruit-department - Bitdefender bypass/evasion
______________________________________________________________________

Release mode: Coordinated but limited disclosure.
Ref         : TZO-082009 - Bitdefender Evasion CAB
WWW         : 
http://blog.zoller.lu/2009/04/bitdefender-generic-bypassevasion-cab.html
Vendor      : http://www.bitdefender.com
Security notification reaction rating : Good
Notification to patch window : 1 day (!)

Intersting backround statistics:
Time required to coordinate disclosure and write the advisory: 2 hours
Time required to find the bug : 10 minutes

Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
- Bitdefender Antivirus 2009 (pre update 13/04/2009)
- Bitdefender Internet Security 2009 (pre update 13/04/2009)
- Bitdefender Total Security 2009 (pre update 13/04/2009)
- Bitdefender Small Office Security (pre update 13/04/2009)
- Bitdefender for Fileservers (pre update 13/04/2009)
- Bitdefender for Samba (pre update 13/04/2009)
- Bitdefender for Sharepoint (pre update 13/04/2009)
- Bitdefender Security for Exchange (pre update 13/04/2009)
- Bitdefender Security for Mailservers (pre update 13/04/2009)
- Bitdefender for ISA Servers (pre update 13/04/2009)
- Bitdefender Client security (pre update 13/04/2009)

Bundles:
- BitDefender Business Security (pre update 13/04/2009)
- Bitdefender Antivirus for Unices (pre update 13/04/2009)
- Bitdefender Corporate Security (pre update 13/04/2009)
- Bitdefender SBS Security (pre update 13/04/2009)

I. Background
~~~~~~~~~~~~~
BitDefender™  provides  security  solutions  to  satisfy  the    protection
requirements  of  today's  computing  environment,   delivering   effective
threat management for over 41 million home  and  corporate  users  in  more
than 100 countries. BitDefender, a division of SOFTWIN,   is  headquartered
in Bucharest, Romania and has offices in  Tettnang,   Germany,   Barcelona,
United  Kingdom,   Denmark,   Spain  and  Fort  Lauderdale  (FL),      USA.



II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
CAB archive. Details are currently witheld due to other vendors that are 
in process of deploying patches.

III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at : 
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect
code within the CAB archive. There is no inspection of the content
at all.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
13/04/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date
                         
14/04/2009 : Bitdefender responds that the problem was fixed by an 
             automatic update on the 13/04/2009
                         
16/04/2009 : Asked what product line and version has been affected and
             a CVE number.           

15/04/2009 : Bitdefender states that "All  our  products are affected 
             by this problem. We don't have a CVE number".

17/04/2009 : Release of this advisory