16.29.53
[TZO-13-2009] Avira Antivir generic CAB evasion / bypass

Thierry Zoller

 to NTBUGTRAQ, bugtraq, full-d
From the low-hanging-fruit-department - Avira antivir bypass/evasion
______________________________
________________________________________

Release mode: Coordinated but limited disclosure.
Ref         : TZO-132009 - Avira Antivir evasion CAB
WWW         : http://blog.zoller.lu/2009/04/avira-antivir-generic-cab-bypass.html
Vendor      : http://www.avira.com
Status      : Patched
Security notification reaction rating : Good
Notification to patch window : 7 days (Eastern holidays in between)

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :
- Avira AntiVir Free (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Premium (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Premium Security Suite (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Professional (Desktop) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Server (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Exchange (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir SharePoint (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir ISA Server (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir MIMEsweeper (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir for KEN! 4 (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Virus Scan Adapter for SAP NetWeaver®
- Avira AntiVir Professional (Unix) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Server (Unix)  (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir MailGate (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir WebGate (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)

I. Background
~~~~~~~~~~~~~
Quote: "Avira AntiVir is a reliable free antivirus solution, that constantly
and rapidly scans your computer for malicious programs such as viruses,
Trojans, backdoor programs, hoaxes, worms, dialers etc. Monitors
every action executed by the user or the operating system and reacts
promptly when a malicious program is detected.

The protection experts have numerous company locations throughout
Germany and cultivate partnerships in Europe, Asia and America.
Avira has more than 180 employees at their main office in Tettnang
near Lake Constance and is one of
the largest employers in the region. There are around 250 people
employed worldwide whose commitment is continually being confirmed
by awards. A significant contribution to protection is the Avira
AntiVir Personal which is being used by private users a million
times over.

AV-Comparatives e.V. have chosen Avira AntiVir Premium as the
best anti-virus solution of 2008"


II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
CAB archive. Details are currently witheld due to other vendors that are
in process of deploying patches.

III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect
code within the CAB archive. There is no inspection of the content
at all and hence the impossibility to detect malicious code.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
10/04/2009 : Send proof of concept, description the terms under which
            I cooperate and the planned disclosure date

10/04/2009 : Avira acknowledges receipt and informs me of the eastern
            holidays in Germany.

16/04/2009 : Asked for update

17/04/2009 : Avira replies the problem is fixed in "AVPack >= 8.1.3.14
            7.6.1.19", changes have been made to the sdk in order to
            allow 3rd party AV vendors that use the engine to reveive
            more details about the file.

18/04/2009 : Avira informs me that the patch is in production since the
            17th of April. AV7 7.9.0.148 / AV8/9: 8.2.0.148

18/04/2009 : Ask for more details about the impact of gateway appliances

23/04/2009 : Avira states that the archive effectively evade the default
            configuration of  Avira AntiVir MailGate and
            Avira AntiVir WebGate (prior to patch). Future evasions
            can be blocked by setting "BlockSuspiciousArchive" to yes
            however this is not enabled by default.

27/04/2009 : Release of this advisory



Views: 8738 | Added by: Siegh_Wahrhreit | Rating: 0.0/0
Total comments: 0
Name *:
Email *:
Code *:
close