lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 22 May 2009 15:57:35 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: bugtraq <bugtraq@...urityfocus.com>,
	full-disclosure <full-disclosure@...ts.grok.org.uk>,
	<info@...cl.etat.lu>, <vuln@...unia.com>, <cert@...t.org>,
	<nvd@...t.gov>, <cve@...re.org>
Subject: [TZO-25-2009] Panda generic evasion (TAR)

________________________________________________________________________

              From the low-hanging-fruit-department
                   Panda generic evasion (TAR)
________________________________________________________________________

Why are there two panda advisories instead of one ? See
http://blog.zoller.lu/2009/05/100th-post-what-about-big-guys.html

************************************************************************
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed!
************************************************************************

Release mode: Coordinated but limited disclosure.
Ref         : TZO-25-2009 - Panda generic evasion (TAR)
WWW         : http://blog.zoller.lu/2009/04/advisory-panda-generic-evasion-tar.html
Vendor      : http://www.pandasecurity.com
Status      : Patched (Through hotfix and automatic update)
CVE         : none provided
OSVDB listing: No [1]
Credit :
http://www.pandasecurity.com/homeusers/support/card?id=80060&idIdioma=2
http://www.pandasecurity.com/homeusers/support/card?id=60039&idIdioma=2
http://www.pandasecurity.com/homeusers/support/card?id=70025&idIdioma=2

Security notification reaction rating : Good
Notification to patch window : +-22 days 

Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
- Global Protection 2009 (Hotifx)
- Internet Security 2009 (Hotifx)
- Panda Antivirus Pro 2009 (Hotfix)
- Panda Security for Business with Exchange
- Panda Security for Business
- Panda Security for Enterprise
- Panda GateDefender Integra (patched through automatic updates)
- Panda GateDefender Performa (patched through automatic updates) 
- Panda AdminSecure (patched thorugh automatic updates)

SaaS
- Panda Managed Office Protection
- TrustLayer Mail
Quote : "What virus protection guarantees does TrustLayer offer?
With respect to the antivirus filtering service, TrustLayer 
offers a 100% virus-free contractual guarantee."

I. Background
~~~~~~~~~~~~~
Quote: "Panda Security is one of the world's leading creators 
and developers of technologies, products and services for 
keeping clients' IT resources free from viruses and other 
computer threats at the lowest possible Total Cost of Ownership."

II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted RAR
archive.

III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at : 
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect
code within TAR archives. There is no inspection of the content
at all and hence the impossibility to detect malicious code.

IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
28/04/2009 : Sent proof of concept TAR, description the terms under which 
             I cooperate and the planned disclosure date
                         
07/05/2009 : Resent POC, description and terms

11/05/2009 : Inform Panda that his is my last attempt to contact them and
             that I will publish the information on the 20th of Mai.

11/05/2009 : Panda informes me that they are still evaluating and fixing
             release dates and asks for more time.

11/05/2009 : Panda states that they send me a fix for the TAR bug in
             order to cross check it fixes the problem.
                         
21/05/2009 : Panda informs me of the release of hotfixes and affected
             Products.
                         
22/05/2009 : Ask for clarification on affected products

22/05/2009 : Release of this advisory.                   
                         

[1]
Panda is invited to leave their security contact e-mail address at
http://osvdb.org/vendor/1/Panda%20Software .

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ