lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <336446510.20090427164157@Zoller.lu>
Date: Mon, 27 Apr 2009 16:41:57 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: NTBUGTRAQ <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>, 
	bugtraq <bugtraq@...urityfocus.com>, 
	full-disclosure <full-disclosure@...ts.grok.org.uk>, <info@...cl.etat.lu>, 
	<vuln@...unia.com>, <cert@...t.org>, <nvd@...t.gov>, <cve@...re.org>
Subject: [TZO-14-2009] Comodo Antivirus RAR evasion

______________________________________________________________________

  From the low-hanging-fruit-department - Comodo antivir bypass/evasion
______________________________________________________________________

Release mode: Coordinated but limited disclosure.
Ref         : TZO-142009 - Comodo evasion RAR
WWW         : http://blog.zoller.lu/2009/04/comodo-antivirus-evasionbypass.html
Vendor      : http://www.comodo.com
Status      : Patched
Security notification reaction rating : Good 
Notification to patch window : 41 days

Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
- Comodo Internet Security 3.5.x and 3.8.x (Impact low due to on access scan)
- Comodo Anti-Virus (Impact low due to on access scan)


I. Background
~~~~~~~~~~~~~
Quote: "Comodo's range of solutions gives businesses the ability 
to create online trust through proprietary technology that help 
e-businesses convert more customers, retain more customers and 
increase lifetime value."

II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
RAR archive. Details are currently witheld due to other vendors that are 
in process of deploying patches.

III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at : 
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect
code within the RAR archive. There is no inspection of the content
at all and hence the impossibility to detect malicious code.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
14/03/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date
                         
             No reply
                         
16/03/2009 : Resend notification
                         
23/03/2009 : Comodo answers that the bug has been fixed and will be deployed
             in version 3.9 due in end of April.

02/04/2009 : Ask for affected versions.
                         
02/04/2009 : Comodo answers that the ranges 3.5.x and 3.8.x have been affected 
             and that the sheduled release date is the 25th of April. Credit
             will be given in the release notes.

27/04/2009 : Notify comodo that I plan to release the advisory today and assume
             the production code has been released in the 25.04.2009

27/04/2009 : Release of this advisory





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ