lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <941839437.20091027232333@Zoller.lu>
Date: Tue, 27 Oct 2009 23:23:33 +0100
From: Thierry Zoller <Thierry@...ler.lu>
To: bugtraq <bugtraq@...urityfocus.com>,
	full-disclosure <full-disclosure@...ts.grok.org.uk>,
	<info@...cl.etat.lu>, <vuln@...unia.com>, <cert@...t.org>,
	<nvd@...t.gov>, <cve@...re.org>
Subject: [G-SEC 48-2009]  F-SECURE - Generic PDF detection bypass

________________________________________________________________________

          F-SECURE multiple products - Generic PDF detection bypass
________________________________________________________________________

***********************************************************************
Cheap plug :
If you are interested in client-side vulnerabilities visit HACK.LU 
starting tomorrow [28-30 Oct] with :

Workshop:
* Bypassing the Perimeter: Client Side Exploitation - Nitesh Dhanjani,
                                                      Billy K Rios
Talks :
* New advances in Office Malware analysis - Frank Boldewin
* PDF Penetration Document Format - Didier Stevens
* Ownage 2.0 - Saumil Shah (who else)
* Malicious PDF origamis strike back - Guillaume Delugré
                                       Frederic Raynal
***********************************************************************

Release mode  : Coordinated
Reference     : [GSEC-48-2009] - F-Secure generic PDF bypass
WWW           : http://www.g-sec.lu/fsecure-pdf-bypass.html
Vendor        : http://www.f-secure.com
Status        : Patched
CVE           : none attributed yet
Credit        : tba (probably FSC-2009-3)
Discovered by : Thierry Zoller (G-SEC)


Affected products : 
~~~~~~~~~~~~~~~~~~~
- F-Secure Internet Security 2009 and earlier
- F-Secure Anti-Virus 2009 and earlier
- F-Secure Home Server Security 2009
- Solutions based on F-Secure Protection Service for Consumers version 8.00 and earlier
- Solutions based on F-Secure Protection Service for Business -  Workstation security version 8.00 and earlier
- Solutions based on F-Secure Protection Service for Business -  E-mail and Server security version 8.00 and earlier
- F-Secure Client Security 8.01 and earlier
- F-Secure Anti-Virus for Workstations 8.0 and earlier
- F-Secure Anti-Virus for Windows Servers 8.00 and earlier
- F-Secure Linux Security 7.02 and earlier
- F-Secure Anti-Virus Linux Client Security 5.54 and earlier
- F-Secure Anti-Virus Linux Server Security 5.54 and earlier
- F-Secure Anti-Virus for Linux Servers 4.65
- F-Secure Anti-Virus for Microsoft Exchange 8.00 and earlier
- F-Secure Internet Gatekeeper for Windows 6.61 and earlier
- F-Secure Internet Gatekeeper for Linux 3.02 and earlier
- F-Secure Internet Gatekeeper for Linux Japanese 2.37 and earlier
- F-Secure Anti-Virus for Citrix Servers 7.00 and earlier
- F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier


Patch availability :
~~~~~~~~~~~~~~~~~~~~
Patches distributed through automatic updates

I. Background
~~~~~~~~~~~~~
Quote: "F-Secure offers a broad range of PC and internet security 
products made for your home or business, so you will 
always be protected. Our internet security, antivirus 
and anti-spyware software is trusted by more than 180
internet service providers around the world. Moreover, 
with 16 global offices and a presence within more than 
100 countries, F-Secure is sure to be there for you and
your security software needs."

II. Description
~~~~~~~~~~~~~~~
Improper parsing of the PDF structure leads to evasion of detection of 
malicious PDF documents at scantime and runtime.
  
This has been tested with several malicious PDF files and represents
a generic evasion of all PDF signatures and heuristics.

General information about evasion/bypasses can be found at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

III. Impact
~~~~~~~~~~~
Known PDF exploits/malware may evade signature detection, 0day exploits
may evade heuristics.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD.MM.YYYY
15.05.2009 - Reported to F-Secure 
12.07.2009 - Patches deployed automatically, F-Secure waits to
             coordinate public disclosure
< waiting for others to patch >
27.10.2009 - G-SEC releases this advisory


About G-SEC
~~~~~~~~~~~
G-SECâ„¢  is  a  vendor independent luxemburgish led IT security consulting
group. More information available at : http://www.g-sec.lu/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ