lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1604566923.20090518173846@Zoller.lu>
Date: Mon, 18 May 2009 17:38:46 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: bugtraq <bugtraq@...urityfocus.com>,
	full-disclosure <full-disclosure@...ts.grok.org.uk>,
	<info@...cl.etat.lu>, <vuln@...unia.com>, <cert@...t.org>,
	<nvd@...t.gov>, <cve@...re.org>
Subject: [TZO-23-2009] Avira antivir generic evasion of heuristics (for PDF)

________________________________________________________________________

                           From the low-hanging-fruit-department 
                    Avira Antivir generic PDF evasion of heuristics
________________________________________________________________________

CHEAP Plug :
************
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed!
************

Release mode: Coordinated but limited disclosure.
Ref         : [TZO-22-2009] - Avira Antivir generic PDF evasion (heuristics)
WWW         : http://blog.zoller.lu/2009/04/advisory-avira-antivir-generic-evasion.html
Vendor      : http://www.avira.com
Status      : Patched (Engine-Version: AV7 7.9.0.168 / AV8/9: 8.2.0.168)
CVE         : none provided
Credit      : t.b.a
OSVDB vendor entry: none [1]
Security notification reaction rating : good
Notification to patch window : 10 days

Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
- Avira AntiVir Free 
- Avira AntiVir Premium 
- Avira AntiVir Premium Security Suite 
- Avira AntiVir Professional (Desktop)
- Avira AntiVir Server 
- Avira AntiVir Exchange 
- Avira AntiVir SharePoint
- Avira AntiVir ISA Server
- Avira AntiVir MIMEsweeper 
- Avira AntiVir for KEN! 4 
- Avira AntiVir Virus Scan Adapter for SAP NetWeaver®
- Avira AntiVir Professional (Unix) 
- Avira AntiVir Server (Unix) 
- Avira AntiVir MailGate 
- Avira AntiVir WebGate 

I. Background
~~~~~~~~~~~~~
Quote: "Avira AntiVir is a reliable free antivirus solution, that constantly 
and rapidly scans your computer for malicious programs such as viruses, 
Trojans, backdoor programs, hoaxes, worms, dialers etc. Monitors 
every action executed by the user or the operating system and reacts 
promptly when a malicious program is detected.

The protection experts have numerous company locations throughout 
Germany and cultivate partnerships in Europe, Asia and America. 
Avira has more than 180 employees at their main office in Tettnang 
near Lake Constance and is one of the largest employers in the region. 

AV-Comparatives e.V. have chosen Avira AntiVir Premium as the 
best anti-virus solution of 2008"


II. Description
~~~~~~~~~~~~~~~
The heuristics can be bypassed by a special formated PDF "container", this
leads to the bypass of malicious PDF files, old or new. This is not a 
bypass that relies on archive structures but relies on evading certain 
code paths in the av engine "through various means".


III. Impact
~~~~~~~~~~~

To know more about the impact and type of "evasion", I updated the 
description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

Interestingly this opens the possibility to evade at scan time and
run-time.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
08/05/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date.
                         
10/05/2009 : Avira acknowledges receipt.

11/05/2009 : Avira states that the internal development build has been
             patched and that the public updates are to be rolled out
                         end of the week.

18/05/2009 : Avira informs me that "we already released the fixed engine 
             to the public on friday, 15th May, 17:59 pm CET: 
                         Engine-Version: AV7 7.9.0.168 / AV8/9: 8.2.0.168
                         
18/05/2009 : Release of this advisory.
                         

[1]
Avira is encouraged to leave their security contact details at
http://osvdb.org/vendor/1/AVIRA%20GmbH to facilate communication and reduce lost reports.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ