[TZO-09-2009] Avast bypass / evasion (Limited details)
______________________________________________________________________
From the low-hanging-fruit-department - AVAST bypass/evasion
______________________________________________________________________
Release mode: Forced release, vendor has not replied.
Ref : TZO-092009 - AVAST Generic Evasion
WWW :
http://blog.zoller.lu/2009/04/release-mode-forced-release-vendor-has.html
Vendor : http://www.avast.com
Security notification reaction rating : Catastrophic
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products :
- List t.b.a when vendor cooperates (probably all versions)
- Known engine version to be affected - prior and post VPS:090409-0
As this bug has not been reproduced by the vendor, this limited advisory
relies on the assumption that my tests were conclusive and that the test
environment mimics the production environment.
I. Background
~~~~~~~~~~~~~
Quote: "Comprehensive network security solution for corporate customers
certified and tested by ICSA and Checkmark. It provides complete
server and desktop virus protection."
II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
RAR archive. Details are currently witheld :
A professional reaction to a vulnerability notification is a way to
measure the maturity of a vendor in terms of security. AVAST is given
a grace period of two (2) weeks to reply to my notification. Failure
to do so will result in POC being released in two (2) weeks.
AVAST (aswell as others) is advised to leave a specific security contact
at [1] in order to simplify getting in contact with them.
III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
The bug results in denying the engine the possibility to inspect
code within the RAR archive. There is no inspection of the content
at all.
IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
14/03/2009 : Send proof of concept, description the terms under which
I cooperate and the planned disclosure date. There is
no security adress listed at [1] and hence took the industry
standard security contacts addresses secure@ and security@.
secure@xxxxxxxx, secure@xxxxxxxxx, security@xxxxxxxxx
security@xxxxxxxx
No reply.
10/04/2009 : Resending specifying this is the last attempt to disclose
reponsibly. This time two known contact adresses that were
previously used to report vulnerabilities were used:
secalert@xxxxxxxxx, vlk@xxxxxxxxx
No reply.
17/04/2009 : Release of this advisory and begin of grace period.
[1] http://osvdb.org/vendor/1/ALWIL%20Software