lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 14 Jun 2009 20:50:55 +0200
From: Thierry Zoller <>
To: bugtraq <>,,, <>, <>, <>,
Subject: [TZO-32-2009] Norman generic bypass (RAR)


             From the low-hanging-fruit-department
                  Norman generic evasion (RAR)

CHEAP Plug :
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information :
CFP is open, sponsorship is still possible and warmly welcomed

Release mode: Coordinated but limited disclosure.
Ref         : [TZO-32-2009] - Norman generic evasion (RAR)
WWW         :
Vendor      :
Status      : Patched (with decompression engine version 5.99.07)
CVE         : none provided
Credit      :
OSVDB vendor entry: Norman is not listed as a vendor in OSVDB
Security notification reaction rating : ok
Notification to patch window : 77 days

Disclosure Policy :

Affected products : 
The vulnerabilities have been fixed in Norman's compression library (NCL) 5.99.07, 
relased on Norman's Internet update servers as an automatic update 03 June 2009. 
This solves the vulnerability for all updated Norman's products except for 
Norman Network Protection

 - Norman Virus Control single user and corporate versions
 - Norman Internet Control
 - Norman Virus Control E-mail plugins
 - Norman Endpoint Protection
 - Norman Secuirty Suite
 - Norman Network Protection
 - Norman Virus Control for Lotus Domino
 - Norman Virus Control for Exchange
 - Norman Virus Control for Linux
 - Norman Virus Control for Novell Netware (FireBreak) 
 - Norman Email Protection
 - Norman Email Protection Appliance
 - Norman Online Protection
 - Norman Virus Control for AMaViS 
 - Norman Virus Control for MIMEsweeper  

 - Third party vendors that use the Engine 
 OEM vendors known to use the Norman engine :
 - eeye

I. Background
Quote: "Norman ASA is a world leading company within the field of data security, 
internet protection and analysis tools. Through its SandBox technology 
Norman offers a unique and proactive protection unlike any other 

II. Description
A general description of the impact and nature of AV Bypasses/evasions
can be read at :

The bug results in denying the engine the possibility to inspect
code within the RAR archive. There is no inspection of the content
at all.

III. Impact
The bug results in denying the engine the possibility to inspect
code within the RAR archives. There is no inspection of content
at all.

A general description of the impact and nature of AV Bypasses/evasions
can be read at :

IV. Disclosure time-line
05/03/2009 : Send proof of concept (RAR Size), description the terms under which 
             I cooperate and the planned disclosure date.
             No reply
13/03/2009 : Re-Send proof of concept (RAR Size), indicating this is the last attempt
             to responsible disclose.
14/03/2009 : Norman acknowledges receipt

23/03/2009 : Send proof of concept (RAR Method)

23/03/2009 : Asking for an update for the RAR Size sample

02/04/2009 : Norman confirms reproduction of RAR Method PoC and that they will release
             the patch a.s.a.p
02/04/2009 : Norman promises to get back with release dates/advisory information as soon 
             as they have some firm dates
06/04/2009 : Norman confirms reproduction of RAR Headflags PoC                   

20/04/2009 : Norman confirms reproduction of the CAB PoC and that all reported 
             vulnerabilities have been patched internaly.

22/04/2009 : Ask for a list of affected versions/products       
             no answer

27/04/2009 : Norman sends in the patched decompression DLL for me to if the patch
             is correct.

28/04/2009 : Send TAR PoC file
             no acknowledgement
07/05/2009 : Ask for an update to all reported bugs
             no reply

08/05/2009 : Inform Norman that as I no longer receive any replies I assume that 
             the patch is deployed and set that the final disclosure date to 
             the 1.06.2009
09/05/2009 : Norman states they probably can't make the 1/06/2009

09/05/2009 : Propose to postpone disclosure upon request

28/05/2009 : Ask for an update as 01.06.2009 still is set                        

30/05/2009 : Norman asks to postpone the disclosure by a week as they 
             have to finish Q&A

09/06/2009 : Ask norman whether the Q&A has been finished

09/06/2009 : Norman replies the patches where deployed on the 3rd 
             of June.
10/06/2009 : Release of this advisory.

Powered by blists - more mailing lists