lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1197822496.20090420184043@Zoller.lu>
Date: Mon, 20 Apr 2009 18:40:43 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: NTBUGTRAQ <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>, 
	bugtraq <bugtraq@...urityfocus.com>, 
	full-disclosure <full-disclosure@...ts.grok.org.uk>, <info@...cl.etat.lu>, 
	<vuln@...unia.com>, <cert@...t.org>, <nvd@...t.gov>, <cve@...re.org>
Subject: Addendum :[TZO-09-2009] Avast bypass / evasion
	(Limited details)


URL:
http://blog.zoller.lu/2009/04/release-mode-forced-release-vendor-has.html

Update : After the reaction from avast, it is now clear that all versions
and  products  are  affected,  however  there is no plan to patch, the
patch will come or will not come - sometime in the future.

You are encouraged to read the time line and draw your own conclusions.

Desktop Protection

    * avast! 4 Professional (impact low, reason real-time protection)
    * avast! 4 Home Edition (impact low, reason real-time protection)
    * avast! Pro Family pack (impact low, reason real-time protection)
    * avast! WHS Edition (impact low, reason real-time protection)
    * avast! Mac Edition (impact unknown)
    * avast! Linux Home Edition (impact unknown)
    * avast! U3 Edition (impact unknown)
    * avast! 4 BART CD (impact unknown)
    * avast! for PDA (impact unknown)

Corporate Protection

    * avast! 4 Server Edition(impact high, complete bypass)
    * avast! 4 Server Edition Plug-ins
    * avast! 4 Exchange Server Edition (impact high, complete bypass)
    * avast! 4 ISA Server Edition (impact high, complete bypass)
    * avast! 4 SharePoint Server Edition (impact high, complete bypass)
    * avast! 4 SMTP Server Edition (impact high, complete bypass)
    * avast! 4 Lotus Domino Edition (impact high, complete bypass)
    * avast! Distributed Network Manager (impact high, complete bypass)
    * avast! 4 Professional (impact unknown)
    * avast! 4 BART CD (impact unknown)
    * avast! for Linux/Unix Server (impact high, complete bypass)
    * avast! for PDA (impact unknown)
    * Net.Purum (impact unknown)

OEM

    * Copperfasten - Mail Firewall Appliance
    * TN North Software - Interner Anywhere eMailServer
    * IceWarp Software - Merak Email Server
    * SmartMax Software, Inc. - MailMax Server
    * NetWin Software - SurgeMail Email Server
    * Hexamail Ltd. - Hexamail Guard - Antivirus option
    * Bains Digital - Defender MX


Time line
''''''''''
    * 14/03/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. There is no security adress listed at [1] and hence took the industry standard security contacts addresses secure@ and security@. secure@...st.de, secure@...il.com, security@...il.com security@...st.de

      No reply.

    * 10/04/2009 : Resending specifying this is the last attempt to disclose reponsibly. This time two known contact adresses that were previously used to report vulnerabilities were used: secalert@...st.com, vlk@...st.com

      No reply.

    * 17/04/2009 : Release of this advisory and begin of grace period.

    * 17/04/2009 : Avast replies quoting the mail sent on the 14/03/2009 and claims that this is a non issue because the POC would not correctly decompress.

    * 17/04/2009: Reply that the POC works as expected and asked why there has been no reaction to previous notifications.

      No reply.

    * 20/04/2009: Asked for patch timeline and affected version

    * 20/04/2009: Avast replies that all versions and all product ranges are affected, however "There's currently no plan to release a special patch for this as our risk assessment makes it a very low priority issue."

    * 20/04/2009: Replied that Avast can assesses the risk to loose customers and money; not the entire cumulated risk their customers run in specific environments.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ