[TZO-18-2009] Mcafee multiple evasions/bypasses (RAR, ZIP)
________________________________________________________________________
From the low-hanging-fruit-department - Mcafee multiple generic evasions
________________________________________________________________________
Release mode: Coordinated but limited disclosure.
Ref : TZO-182009 - Mcafee multiple generic evasions
WWW :
http://blog.zoller.lu/2009/04/mcafee-multiple-bypassesevasions-ziprar.html
Vendor : http://www.mcafee.com
Status : Patched
CVE : CVE-2009-1348 (provided by mcafee)
https://kc.mcafee.com/corporate/index?page=content&id=SB10001&actp=LIST_RECENT
Security notification reaction rating : very good
Notification to patch window : +-27 days (Eastern holidays in between)
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products :
- McAfee VirusScan® Plus 2009
- McAfee Total Protection™ 2009
- McAfee Internet Security
- McAfee VirusScan USB
- McAfee VirusScan Enterprise
- McAfee VirusScan Enterprise Linux
- McAfee VirusScan Enterprise for SAP
- McAfee VirusScan Enterprise for Storage
- McAfee VirusScan Commandline
- Mcafee SecurityShield for Microsoft ISA Server
- Mcafee Security for Microsoft Sharepoint
- Mcafee Security for Email Servers
- McAfee Email Gateyway
- McAfee Total Protection for Endpoint
- McAfee Active Virus Defense
- McAfee Active VirusScan
It is unkown whether SaaS were affected (tough likely) :
- McAfee Email Security Service
- McAfee Total Protection Service Advanced
I. Background
~~~~~~~~~~~~~
Quote: "McAfee proactively secures systems and networks from known
and as yet undiscovered threats worldwide. Home users, businesses,
service providers, government agencies, and our partners all trust
our unmatched security expertise and have confidence in our
comprehensive and proven solutions to effectively block attacks
and prevent disruptions."
II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
RAR (Headflags and Packsize),ZIP (Filelenght) archive.
III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
The bug results in denying the engine the possibility to inspect
code within RAR and ZIP archives. There is no inspection of the content
at all and hence the impossibility to detect malicious code.
IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
04/04/2009 : Send proof of concept RAR I, description the terms under which
I cooperate and the planned disclosure date
06/04/2009 : Send proof of concept RAR II, description the terms under which
I cooperate and the planned disclosure date
06/04/2009 : Mcafee acknowledges receipt and reproduction of RAR I, ack
acknowledges receipt of RARII
10/04/2009 : Send proof of concept ZIP I, description the terms under which
I cooperate and the planned disclosure date
21/04/2009 : Mcafee provides CVE number CVE-2009-1348
28/04/2009 : Mcafee informs me that the patch might be released on the 29th
29/04/2009 : Mcafee confirms patch release and provides URL
https://kc.mcafee.com/corporate/index?page=content&id=SB10001&actp=LIST_RECENT
29/04/2009 : Ask for affected versions
29/04/2009 : Mcafee replies " This issue does affect all vs engine products,
including
both gateway and endpoint"