[TZO-28-2009] - Avira Antivir generic RAR,CAB,ZIP
________________________________________________________________________
From the low-hanging-fruit-department
Avira Antivir generic RAR,CAB,ZIP,LH evasion
________________________________________________________________________
CHEAP Plug :
************
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed!
************
Release mode: Coordinated but limited disclosure.
Ref : [TZO-28-2009] - Avira Antivir generic RAR,CAB,ZIP
WWW : t.b.a
Vendor : http://www.avira.com
Status : Patched (Engine-Version: AV7 7.9.0.180 / AV8/9 8.2.0.180)
(Re)Discovered : 2005 by froggz, 2007 by Thierry Zoller, 2009 by Roger Mickael
(please give appropriate credit - only when notified and
pressured
under disclosure terms vendors fix these, even if they are
known
since years. PS this is not exclusive to AVIRA)
CVE : none provided
Credit : t.b.a
OSVDB vendor entry: none [1]
Security notification reaction rating : good
Notification to patch window : 22 days
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products :
- Avira AntiVir Free
- Avira AntiVir Premium
- Avira AntiVir Premium Security Suite
- Avira AntiVir Professional (Desktop)
- Avira AntiVir Server
- Avira AntiVir Exchange
- Avira AntiVir SharePoint
- Avira AntiVir ISA Server
- Avira AntiVir MIMEsweeper
- Avira AntiVir for KEN! 4
- Avira AntiVir Virus Scan Adapter for SAP NetWeaverŽ
- Avira AntiVir Professional (Unix)
- Avira AntiVir Server (Unix)
- Avira AntiVir MailGate
- Avira AntiVir WebGate
I. Background
~~~~~~~~~~~~~
Quote: "Avira AntiVir is a reliable free antivirus solution, that constantly
and rapidly scans your computer for malicious programs such as viruses,
Trojans, backdoor programs, hoaxes, worms, dialers etc. Monitors
every action executed by the user or the operating system and reacts
promptly when a malicious program is detected."
II. Description
~~~~~~~~~~~~~~~
The Anti-virus engine could by bypassed by special crafted files. The root
cause was the same for RAR,CAB,ZIP,LH.
III. Impact
~~~~~~~~~~~
The engine could be bypassed remotely, the malware was no longer detected.
An issue especially with Gateway solutions. To know more about the impact
and type of "evasion", I updated the description at
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
IV. timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
07/05/2009 : Send proof of concept, description the terms under which
I cooperate and the planned disclosure date.
08/05/2009 : Avira replies that "Roger Mickael" reported a similar issues
08/05/2009 : Sent another POC in other formats then reported previously
11/05/2009 : Avira asks for a delay
27/05/2009 : Avira informs me that "please be informed that we've just
released the fixed engine files to the public (27th of May,
19:19 pm CET): Engine-Version: AV7 7.9.0.180 / AV8/9 8.2.0.180
29/05/2009 : Release of this advisory.
[1]
Avira is encouraged to leave their security contact details at
http://osvdb.org/vendor/1/AVIRA%20GmbH to facilate
communication and reduce lost reports.