[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1284625808.20090417160849@Zoller.lu>
Date: Fri, 17 Apr 2009 16:08:49 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: NTBUGTRAQ <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>,
bugtraq <bugtraq@...urityfocus.com>,
full-disclosure <full-disclosure@...ts.grok.org.uk>,
<info@...cl.etat.lu>, <vuln@...unia.com>, <cert@...t.org>,
<nvd@...t.gov>, <cve@...re.org>
Subject: [TZO-08-2009] Bitdefender generic bypass/evasion
______________________________________________________________________
From the low-hanging-fruit-department - Bitdefender bypass/evasion
______________________________________________________________________
Release mode: Coordinated but limited disclosure.
Ref : TZO-082009 - Bitdefender Evasion CAB
WWW : http://blog.zoller.lu/2009/04/bitdefender-generic-bypassevasion-cab.html
Vendor : http://www.bitdefender.com
Security notification reaction rating : Good
Notification to patch window : 1 day (!)
Intersting backround statistics:
Time required to coordinate disclosure and write the advisory: 2 hours
Time required to find the bug : 10 minutes
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products :
- Bitdefender Antivirus 2009 (pre update 13/04/2009)
- Bitdefender Internet Security 2009 (pre update 13/04/2009)
- Bitdefender Total Security 2009 (pre update 13/04/2009)
- Bitdefender Small Office Security (pre update 13/04/2009)
- Bitdefender for Fileservers (pre update 13/04/2009)
- Bitdefender for Samba (pre update 13/04/2009)
- Bitdefender for Sharepoint (pre update 13/04/2009)
- Bitdefender Security for Exchange (pre update 13/04/2009)
- Bitdefender Security for Mailservers (pre update 13/04/2009)
- Bitdefender for ISA Servers (pre update 13/04/2009)
- Bitdefender Client security (pre update 13/04/2009)
Bundles:
- BitDefender Business Security (pre update 13/04/2009)
- Bitdefender Antivirus for Unices (pre update 13/04/2009)
- Bitdefender Corporate Security (pre update 13/04/2009)
- Bitdefender SBS Security (pre update 13/04/2009)
I. Background
~~~~~~~~~~~~~
BitDefenderā¢ provides security solutions to satisfy the protection
requirements of today's computing environment, delivering effective
threat management for over 41 million home and corporate users in more
than 100 countries. BitDefender, a division of SOFTWIN, is headquartered
in Bucharest, Romania and has offices in Tettnang, Germany, Barcelona,
United Kingdom, Denmark, Spain and Fort Lauderdale (FL), USA.
II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
CAB archive. Details are currently witheld due to other vendors that are
in process of deploying patches.
III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
The bug results in denying the engine the possibility to inspect
code within the CAB archive. There is no inspection of the content
at all.
IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
13/04/2009 : Send proof of concept, description the terms under which
I cooperate and the planned disclosure date
14/04/2009 : Bitdefender responds that the problem was fixed by an
automatic update on the 13/04/2009
16/04/2009 : Asked what product line and version has been affected and
a CVE number.
15/04/2009 : Bitdefender states that "All our products are affected
by this problem. We don't have a CVE number".
17/04/2009 : Release of this advisory
Powered by blists - more mailing lists