[TZO-09-2009] Avast bypass / evasion (Limited details)

To: NTBUGTRAQ <NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx>, bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>, <info@xxxxxxxxxxxxx>, <vuln@xxxxxxxxxxx>, <cert@xxxxxxxx>, <nvd@xxxxxxxx>, <cve@xxxxxxxxx>
Subject: [TZO-09-2009] Avast bypass / evasion (Limited details)
From: Thierry Zoller <Thierry@xxxxxxxxx>
Date: Fri, 17 Apr 2009 16:23:25 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: Thierry Zoller <Thierry@xxxxxxxxx>

______________________________________________________________________

    From the low-hanging-fruit-department - AVAST bypass/evasion
______________________________________________________________________

Release mode: Forced release, vendor has not replied.
Ref         : TZO-092009 - AVAST Generic Evasion 
WWW         : 
http://blog.zoller.lu/2009/04/release-mode-forced-release-vendor-has.html
Vendor      : http://www.avast.com
Security notification reaction rating : Catastrophic

Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
- List t.b.a when vendor cooperates (probably all versions)
- Known engine version to be affected - prior and post VPS:090409-0  

As this bug has not been reproduced by the vendor, this limited advisory
relies on the assumption that my tests were conclusive and that the test
environment mimics the production environment.


I. Background
~~~~~~~~~~~~~
Quote: "Comprehensive network security solution for corporate customers 
certified and tested by ICSA and Checkmark. It provides complete 
server and desktop virus protection."

II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
RAR archive. Details are currently witheld :

A professional reaction to a vulnerability notification is a way to 
measure the maturity of a vendor in terms of security. AVAST is given 
a grace period of two (2) weeks to reply to my notification. Failure 
to do so will result in POC being released in two (2) weeks. 

AVAST (aswell as others) is advised to leave a specific security contact
at [1] in order to simplify getting in contact with them.

III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at : 
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect
code within the RAR archive. There is no inspection of the content
at all.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~

14/03/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date. There is
             no security adress listed at [1] and hence took the industry
             standard security contacts addresses secure@ and security@.
             secure@xxxxxxxx, secure@xxxxxxxxx, security@xxxxxxxxx
             security@xxxxxxxx

             No reply.
                         
10/04/2009 : Resending specifying this is the last attempt to disclose
             reponsibly. This time two known contact adresses that were
             previously used to report vulnerabilities were used:
             secalert@xxxxxxxxx, vlk@xxxxxxxxx
                         
             No reply.
                         
17/04/2009 : Release of this advisory and begin of grace period.


[1] http://osvdb.org/vendor/1/ALWIL%20Software

Prev by Date: [TZO-08-2009] Bitdefender generic bypass/evasion
Next by Date: rPSA-2009-0061-1 cups
Previous by thread: [TZO-08-2009] Bitdefender generic bypass/evasion
Next by thread: rPSA-2009-0061-1 cups
Index(es):
- Date
- Thread