lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 16 Jun 2009 13:13:19 +0200
From: Thierry Zoller <>
To: bugtraq <>,,, <>, <>, <>,
Subject: [TZO-40-2009] Clamav generic bypass (RAR,CAB,ZIP)


                From the low-hanging-fruit-department
                   Clamav generic evasion (RAR,CAB,ZIP)

Shameless plug :
You are invited to join the 2009 edition of HACK.LU, a small but 
concentrated luxemburgish security conference. 
More information : - CFP is open, sponsorship is still 
possible and warmly welcomed.

Release mode: Coordinated but limited disclosure.
Ref         : [TZO-40-2009] - Clamav generic evasion (RAR,CAB,ZIP)
WWW         :
Vendor      : &
Status      : Patched (in version 0.95.2)
CVE         : none provided
Credit      : Discovered - froggz 2005, Zoller 2007, ROGER Mickael 2009
Security notification reaction rating : good

Disclosure Policy :

Affected products : 
- ClamAV below 0.95.2

Affected systems:
- MACOSX server,
- IBM Secure E-mail Express Solution for System

I. Background
Quote: "Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, 
designed especially for e-mail scanning on mail gateways. It provides 
a number of utilities including a flexible and scalable multi-threaded
daemon, a command line scanner and advanced tool for automatic 
database updates. The core of the package is an anti-virus engine 
available in a form of shared library. "

II. Description
The parsing engine can be bypassed by manipulating RAR,ZIP archives 
in a "certain way" that the Clamav engine cannot extract the content but
the end user is able to. 

III. Impact
To know more about the impact and type of "evasion", I updated the 
description at

IV. Disclosure timeline

No timeline, nothing particular to note.

Powered by blists - more mailing lists