<<< Date Index >>>     <<< Thread Index >>>

[TZO-13-2009] Avira Antivir generic CAB evasion / bypass



______________________________________________________________________

  From the low-hanging-fruit-department - Avira antivir bypass/evasion
______________________________________________________________________

Release mode: Coordinated but limited disclosure.
Ref         : TZO-132009 - Avira Antivir evasion CAB
WWW         : 
http://blog.zoller.lu/2009/04/avira-antivir-generic-cab-bypass.html
Vendor      : http://www.avira.com
Status      : Patched
Security notification reaction rating : Good
Notification to patch window : 7 days (Eastern holidays in between)

Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
- Avira AntiVir Free (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Premium (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Premium Security Suite (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Professional (Desktop) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Server (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Exchange (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir SharePoint (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir ISA Server (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir MIMEsweeper (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir for KEN! 4 (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Virus Scan Adapter for SAP NetWeaverŽ
- Avira AntiVir Professional (Unix) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Server (Unix)  (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir MailGate (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir WebGate (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)

I. Background
~~~~~~~~~~~~~
Quote: "Avira AntiVir is a reliable free antivirus solution, that constantly 
and rapidly scans your computer for malicious programs such as viruses, 
Trojans, backdoor programs, hoaxes, worms, dialers etc. Monitors 
every action executed by the user or the operating system and reacts 
promptly when a malicious program is detected.

The protection experts have numerous company locations throughout 
Germany and cultivate partnerships in Europe, Asia and America. 
Avira has more than 180 employees at their main office in Tettnang 
near Lake Constance and is one of
the largest employers in the region. There are around 250 people 
employed worldwide whose commitment is continually being confirmed 
by awards. A significant contribution to protection is the Avira 
AntiVir Personal which is being used by private users a million 
times over.

AV-Comparatives e.V. have chosen Avira AntiVir Premium as the 
best anti-virus solution of 2008"


II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
CAB archive. Details are currently witheld due to other vendors that are 
in process of deploying patches.

III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at : 
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect
code within the CAB archive. There is no inspection of the content
at all and hence the impossibility to detect malicious code.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
10/04/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date
                         
10/04/2009 : Avira acknowledges receipt and informs me of the eastern 
             holidays in Germany.
                         
16/04/2009 : Asked for update          

17/04/2009 : Avira replies the problem is fixed in "AVPack >= 8.1.3.14
             7.6.1.19", changes have been made to the sdk in order to 
             allow 3rd party AV vendors that use the engine to reveive
             more details about the file.
                         
18/04/2009 : Avira informs me that the patch is in production since the
             17th of April. AV7 7.9.0.148 / AV8/9: 8.2.0.148
                         
18/04/2009 : Ask for more details about the impact of gateway appliances

23/04/2009 : Avira states that the archive effectively evade the default
             configuration of  Avira AntiVir MailGate and
             Avira AntiVir WebGate (prior to patch). Future evasions
             can be blocked by setting "BlockSuspiciousArchive" to yes
             however this is not enabled by default.

27/04/2009 : Release of this advisory