[TZO-13-2009] Avira Antivir generic CAB evasion / bypass
______________________________________________________________________
From the low-hanging-fruit-department - Avira antivir bypass/evasion
______________________________________________________________________
Release mode: Coordinated but limited disclosure.
Ref : TZO-132009 - Avira Antivir evasion CAB
WWW :
http://blog.zoller.lu/2009/04/avira-antivir-generic-cab-bypass.html
Vendor : http://www.avira.com
Status : Patched
Security notification reaction rating : Good
Notification to patch window : 7 days (Eastern holidays in between)
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products :
- Avira AntiVir Free (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Premium (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Premium Security Suite (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Professional (Desktop) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Server (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Exchange (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir SharePoint (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir ISA Server (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir MIMEsweeper (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir for KEN! 4 (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Virus Scan Adapter for SAP NetWeaverŽ
- Avira AntiVir Professional (Unix) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Server (Unix) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir MailGate (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir WebGate (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
I. Background
~~~~~~~~~~~~~
Quote: "Avira AntiVir is a reliable free antivirus solution, that constantly
and rapidly scans your computer for malicious programs such as viruses,
Trojans, backdoor programs, hoaxes, worms, dialers etc. Monitors
every action executed by the user or the operating system and reacts
promptly when a malicious program is detected.
The protection experts have numerous company locations throughout
Germany and cultivate partnerships in Europe, Asia and America.
Avira has more than 180 employees at their main office in Tettnang
near Lake Constance and is one of
the largest employers in the region. There are around 250 people
employed worldwide whose commitment is continually being confirmed
by awards. A significant contribution to protection is the Avira
AntiVir Personal which is being used by private users a million
times over.
AV-Comparatives e.V. have chosen Avira AntiVir Premium as the
best anti-virus solution of 2008"
II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
CAB archive. Details are currently witheld due to other vendors that are
in process of deploying patches.
III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
The bug results in denying the engine the possibility to inspect
code within the CAB archive. There is no inspection of the content
at all and hence the impossibility to detect malicious code.
IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
10/04/2009 : Send proof of concept, description the terms under which
I cooperate and the planned disclosure date
10/04/2009 : Avira acknowledges receipt and informs me of the eastern
holidays in Germany.
16/04/2009 : Asked for update
17/04/2009 : Avira replies the problem is fixed in "AVPack >= 8.1.3.14
7.6.1.19", changes have been made to the sdk in order to
allow 3rd party AV vendors that use the engine to reveive
more details about the file.
18/04/2009 : Avira informs me that the patch is in production since the
17th of April. AV7 7.9.0.148 / AV8/9: 8.2.0.148
18/04/2009 : Ask for more details about the impact of gateway appliances
23/04/2009 : Avira states that the archive effectively evade the default
configuration of Avira AntiVir MailGate and
Avira AntiVir WebGate (prior to patch). Future evasions
can be blocked by setting "BlockSuspiciousArchive" to yes
however this is not enabled by default.
27/04/2009 : Release of this advisory