lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <02a901c5df3d$4f5225f0$6401a8c0@tagvpcserver>
Date: Tue, 1 Nov 2005 18:38:06 -0500
From: "Auri Rahimzadeh" <auri@...i.net>
To: <full-disclosure@...ts.grok.org.uk>,
	<bugtraq@...urityfocus.com>
Subject: FW: [SR #:1-40483753] RE: Update for the magic
	byte bug


Another response, this time Trend Micro says they have fixed (of sorts) the
magic byte bug in a pattern file... I guess their initial customer service
email was incorrect?

Best,

-Auri

-----Original Message-----
From: pssretailmgr@...ndmicro.com.ph [mailto:pssretailmgr@...ndmicro.com.ph]

Sent: Tuesday, November 01, 2005 6:25 PM
To: auri@...i.net
Subject: [SR #:1-40483753] RE: Update for the magic byte bug

Dear Auri,

Thank you for contacting Trend Micro Technical Support.

We are aware of a potential vulnerability related to the "forged magic byte"
in certain file types. Based on our analysis, this vulnerability is limited
in our products to one specific type of potential virus file which is not
commonly allowed in most IT systems and needs to be executed manually. Trend
Micro customers are currently able to detect such files -- should they be
created -- through our latest virus pattern file, 2.915.00. Solution Bank
article 26763 provides the latest information on this vulnerability's
status.

Should you have further inquiries, please do not hesitate in sending us an
email, it is our pleasure assisting you. Other means of reaching our office
are indicated below.

VERY IMPORTANT: In order for us to have a history of our correspondence,
please do not delete the subject and the contents of this email.

Thanks for choosing Pc-cillin and have a Great Day!


Best Regards,

Jay Cee Villaruel
Consumer Support Team
TrendLabs HQ, Trend Micro Incorporated

In order for us to have a history of our correspondence, please do not
delete the subject and the contents of this email.

Note: The Knowledge Base is a depository of information allowing users to
get help in resolving any issue that may arise in using Trend Micro
products. You can visit knowledge base web site at this link:
<http://kb.trendmicro.com/solutions/solutionSearch.asp>

For commendations or if you are having problems with support, please
contact: Retail_manager@...port.trendmicro.com
<mailto:Retail_manager@...port.trendmicro.com>
If you would like to voice out some of your comments about Trend and our
products: comments@...port.trendmicro.com
<mailto:comments@...port.trendmicro.com>

[email]            	       pc-cillin@...port.trendmicro.com
[Knowledge Base]    http://kb.trendmicro.com/solutions/Default.asp?
[Contact us]              http://www.trendmicro.com/en/support/contact.htm
[Retail Products]       1-800-864-6027  (from 5am to 5pm PST)
==========================================================




-----Original Message-----

From:  auri@...i.net
Sent:  10/29/2005 09:26:34 AM
To:  "US Tech Support" <support@...ndmicro.com>; <info@...ndmicro.com>
Subject:  Update for the magic byte bug

Is this being resolved in TM Internet Security 2005 please?

Thanks again!

Best,

-Auri

-----Original Message-----
From: Andrey Bayora [mailto:andrey@...urityelf.org]
Sent: Wednesday, October 26, 2005 2:27 PM
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Update for the magic byte bug

UPDATE, October 26, 2005 - Updated list of the vulnerable products.


Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through
forged magic byte.

AUTHOR: Andrey Bayora (www.securityelf.org)

For more details, screenshots and examples please read my article "The Magic
of magic byte" at www.securityelf.org . In addition, you will find a sample
"triple headed" program which has 3 different 'execution entry points',
depending on the extension of the file (exe, html or eml) - just change the
extension and the SAME file will be executed by (at least) THREE DIFFERENT
programs! (thanks to contributing author Wayne Langlois from
www.diamondcs.com.au).

DATE: October 25, 2005

VULNERABLE vendors and software (tested):

1.  ArcaVir 2005 (engine 2005-06-03,vir def 2005-06-27, scanner ver
2005-03-06, package ver 2005-06-21)
2.  AVG 7 (updates 24 June, ver.7.0.323, virus base 267.8.0/27)
3.  eTrust CA (ver 7.0.1.4, engine 11.9.1, vir sig. 9229)
4.  Dr.Web (v.4.32b, update 27.06.2005)
5.  F-Prot (ver. 3.16c, update 6/24/2005)
6.  Ikarus (latest demo version for DOS)
7.  Kaspersky (update 24 June, ver. 5.0.372)
8.  McAfee Internet Security Suite 7.1.5 (updates 25 June, ver 9.1.08,
engine 4.4.00, dat 4.0.4519 6/22/2005)
9.  McAfee Corporate (updates 25 June, ver. 8.0.0 patch 10, vir def 4521,
engine 4400)
10. Norman ( ver 5.81, engine 5.83.02, update 2005/06/23)
11. TrendMicro PC-Cillin 2005 (ver 12.0.1244, engine 7.510.1002, pattern
2.701.00)
12. TrendMicro OfficeScan (ver7.0, engine 7.510.1002, vir pattern 2.701.00
6/23/2005)
13. Panda Titanium 2005 (updates 24 June, ver 4.02.01)
14. UNA - Ukrainian National Antivirus (ver. 1.83.2.16 kernel v.265)
15. Sophos 3.91 (engine 2.28.4, virData 3.91)

UPDATE, October 26, 2005 (based on the www.virustotal.com scan results, view
the log at http://www.securityelf.org/updmagic.html)

16. CAT-QuickHeal (ver 8.0)
17. Fortinet (2.48.0.0)
18. TheHacker (5.8.4.128)

IMPORTANT NOTE:
Similar vulnerability may exist in many other antivirus\anti-spyware desktop
and gateway products. In addition, various "file filter" solutions may be
affected as well.

NOT VULNERABLE vendors and software (tested):

1.  F-Secure (updates 24 June, ver 5.56 b.10450)
2.  Avast (ver. 4.6.655, vir databas 0525-5 06/25/2005)
3.  BitDefender (ver. 8.0.200, update 6/24/2005, engine 7.01934)
4.  ClamWin (ver. 0.86.1, upd 24 June 2005)
5.  NOD32 (updates 24 June, ver 2.50.25, vir database 1.1152)
6.  Symantec Corporate (ver 10.0.0.359, engine 103.0.2.7)
7.  Norton Internet Security 2005 (ver 11.5.6.14)
8.  VBA32 (ver 3.10.4, updates 27.06.2005)
9.  HBEDV Antivir Personal (ver 6.31.00.01, engine 6.31.0.7, vir def
6.31.0.109 6/24/2005)
10. Sophos 5 (ver. 5.0.2, vir def 3.93, upd 6/30/2005)
11. Sophos 3.95 (engine 2.30.4)

SEVERITY: critical

DESCRIPTION:

The problem exists in the scanning engine - in the routine that determines
the file type. If some file types (file types tested are .BAT, .HTML and
.EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the beginning,
then many antivirus programs will be unable to detect the malicious file. It
will break the normal flow of the antivirus scanning and many existent and
future viruses will be undetected.

NOTE: In my test, I used the EXE headers (MZ), but it is possible to use
other headers (magic byte) that will lead to the same effect.

ANALYSIS:

Some file types like .bat, .html and .eml can be properly executed even if
they have some "unrelated" beginning. For example, in the case of .BAT
files - it is possible to prepend some "junk" data at the beginning of the
file without altering correct execution of the batch file. In my tests, I
used the calc.exe headers (first 120 bytes - middle of the dosstub section)
to change 5 different files of existing viruses. In addition, the simplest
test of this vulnerability is to prepend only the magic byte (MZ) to the
existing malicious file and check if this file is detected by antivirus
program.

NOTE, that this is NOT the case where the change of existing virus file
resulted in the "broken" detection signature (see details and the test logic
in "The Magic of magic byte" article at www.securityelf.org).

WORKAROUND:
I did not found any effective one besides of patching the vulnerable engine.

CREDITS:
The idea for this vulnerability came during discussions from Wayne Langlois
at diamondcs.com.au, who hinted that JPEGs could probably be exploited in
this way.

TIME LINE:

July 13, 2005 - Initial vendor notification
July 16, 2005 - Second vendor notification
.....Waiting.....Waiting....
October 24, 2005 - Public disclosure (uncoordinated) (lack of coordination
from the vendors side)
October 26, 2005 - Updated list of the vulnerable products.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ