lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 13 Jun 2009 19:37:24 +0200
From: Thierry Zoller <>
To: bugtraq <>,,, <>, <>, <>,
Subject: [TZO-31-2009] Ikarus multiple generic evasions (CAB,ZIP,RAR)


                 From the low-hanging-fruit-department
             Ikarus multiple generic evasions (CAB,RAR,ZIP)

CHEAP Plug :
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information :
CFP is open, sponsorship is still possible and warmly welcomed

Release mode: Coordinated but limited disclosure.
Ref         : [TZO-31-2009] - Ikarus multiple evasions through CAB,RAR,ZIP
WWW         : (sorry)
Vendor      :
Status      : Patched (after engine version 1.1.58)
CVE         : none provided
Credit      : t.b.a
OSVDB vendor entry: Ikarus is not listed as a vendor in OSVDB
Security notification reaction rating : good
Notification to patch window : 77 days
Disclosure Policy :

Affected products : 
-  IKARUS virus utilities  (scan-time)
-  IKARUS myM@...all
-  IKARUS Content Wall
-  IKARUS security.proxy

I. Background
Ikarus Software GMBH is an Anti-virus company based in Austria.

II. Description
The parsing engine can be bypassed by a specially crafted and formated
RAR (Headflags and Packsize),ZIP (Filelenght) and CAB (Filesize) archive.

III. Impact
The bug results in denying the engine the possibility to inspect
code within the CAb,RAR,ZIP archives. There is no inspection of content
at all.

A general description of the impact and nature of AV Bypasses/evasions
can be read at :

IV. Disclosure time-line
23/03/2009 : Send proof of concept (ZIP), description the terms under which 
             I cooperate and the planned disclosure date.
04/04/2009 : Send proof of concept (RAR)
07/04/2009 : Ikarus acknowledges receipt, patching Dev builds has begun

10/04/2009 : Resending ZIP PoC

13/04/2009 : Submitting CAB PoC

17/04/2009 : Ikarus demands to delay disclosure

01/05/2009 : Ikarus states that it has started Q&A for the new builds

03/06/2009 : Ikarus informs me that they started deploying the patches/updates
             Credit will be given on a website to come.
09/06/2009 : Release of this advisory.

Powered by blists - more mailing lists