[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1752241504.20090613134228@Zoller.lu>
Date: Sat, 13 Jun 2009 13:42:28 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: bugtraq <bugtraq@...urityfocus.com>, info@...cl.etat.lu, vuln@...unia.com,
<cert@...t.org>, <nvd@...t.gov>, <cve@...re.org>,
<full-disclosure@...ts.grok.org.uk>
Subject: [TZO-30-2009] Kaspersky and the silent patch that
wasn't (PDF evasion, forced full disclosure)
________________________________________________________________________
From the facepalm department
Kaspersky and the silent fix that wasn't
PDF Evasion
________________________________________________________________________
Release mode: Forced disclosure
Ref : [TZO-30-2009] - Kaspersky PDF evasion (Forced disclosure)
WWW : http://blog.zoller.lu/2009/05/advisory-kaspersky-generic-pdf-evasion.html
Vendor : http://www.kaspersky.com
Status : Silent fix that doesn't work - No appropriate patch
CVE : none provided
Credit : none given
OSVDB vendor entry: No [1]
Security notification reaction rating : Catastropic
Not only did the headquarter not answer, they (tried) to patch this
vulnerability silently, only to fail at it. See Timeline.
This is not the first time that Kaspersky did not answer but patched
bugs without credit, advisory or anything. This is however the last
time I will not disclose, I am no longer part of an entity that tolerates
irresponsible non-disclosure.
A professional reaction to a vulnerability notification is a way to measure
the maturity of a vendor in terms of security. Kaspersky is given a grace
period of two (2) weeks to reply to my notifications. Failure to do so will
result in details of all the other reported bugs be released in two (2) weeks.
Notification to patch window : x+n
Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products (all versions) :
- Kaspersky Internet Security
- Kaspersky Anti-Virus
- Kaspersky Mobile Security
- Kaspersky Small Office Security
- Kaspersky Open Space Security
- Kaspersky Business Space Security
- Kaspersky Work Space Security
- Kaspersky Enterprise Space Security
- Kaspersky Targeted Security
- Kaspersky® Anti-Virus for Microsoft ISA Server
- Kaspersky® Anti-Virus for Proxy Server
- Kaspersky® Anti-Virus for Check Point Firewall-1
- Kaspersky® Anti-Virus for Windows Server
- Kaspersky® Anti-Virus for Windows Server Enterprise Edition
- Kaspersky® Anti-Virus for Novell NetWare
- Kaspersky® Anti-Virus for Linux File Server
- Kaspersky® Anti-Virus for Samba Server
- Kaspersky® Security for Microsoft Exchange 2007
- Kaspersky® Security for Microsoft Exchange 2003
- Kaspersky® Anti-Virus for Lotus Notes/Domino
- Kaspersky® Anti-Virus for Windows Workstation
- Kaspersky® Anti-Virus for Linux Workstation
- Kaspersky® Anti-Virus for Linux Mail Server
- Kaspersky® Mail Gateway
- Kaspersky® Anti-virus for MIMEsweeper
See notification and disclosure terms for details about this list.
I. Background
~~~~~~~~~~~~~
Quote: "We develop, produce and distribute information security solutions that
protect our customers from IT threats and allow enterprises to manage risk.
We provide products that protect information from viruses, hackers and spam
for home users and enterprises and offer consulting services and technical
support. "
II. Description
~~~~~~~~~~~~~~~
The PDF files are not parsed correctly, a PDF file starts with the magic
byte "%PDF" and ends with the magic byte "%%EOF", everything in between
those markers is parsed and interpreted. Furthermore PDF files are read from
the bottom to the top.
Adobe Acrobat nor the FoxitReader care too much about the data that
comes prior the magic byte, the kaspersky engine does, not only does
it care, it fails to detect the malware inside the PDF file.
I will spare you the details, a PDF file is bascialy a container that
starts with %PDF and ends with %%EOF.
What follows are the details of this evasion, note this one is generic
and the easiest one, there are plenty more. What you read below is true
as amazing as it might seem, you can't have it more simple.
Example of a malicious PDF file [2]+[3] :
%PDF
Malicious content here
%%EOF
Doing :
Enter stuff here, like random text.
%PDF
Malicious content here
%%EOF
This has the result that the malware is no longer being detected.
Note: Not a single byte of the malware itself been altered, and strictly speaking
the content that represent a PDF file hasn't been changed at all.
This has been tested with several malicious PDF files and represents
a generic evasion of all PDF signatures and heuristics.
Kaspersky was given the PoC file directly through myself and F-Secure, they
went ahead an patched this by adding a signature for the POC file, adding
a PE header in front of a PDF file (with a PDF extension) still evades detection
and the exploit still triggers when opening the file with Adobe. Thus the
patch is flawed by design.
III. Impact
~~~~~~~~~~~
The heuristics can be bypassed by a special formated PDF "container", this
leads to the bypass of malicious PDF files, old or new. This is not a
bypass that relies on archive structures but relies on evading certain
code paths in the av engine "through various means".
A general description of the impact and nature of AV Bypasses/evasions
can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
Note: Certain vendors confirmed this to bypass their engine at runtime.
IV. Timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
15/05/2009 : Send proof of concept, description the terms under which
I cooperate and the planned disclosure date.
no reply
xx/05/2009 : F-Secure sends the same sample to Karspersky
01/06/2009 : Re-sending the proof of concept, description the terms under which
I cooperate and the planned disclosure date.
no reply
03/06/2009 : F-Secure informs me that the sample was submitted to Kaspersky
03/06/2009 : Informed F-secure to communicate with Kaspersky and please ask
them to reply to my notifications.
03/06/2009 : Kaspersky Moscow visits my blog, searches for "AVP" and "Kaspersky".
Obviously they received both reports. (see website for pic)
No reply
04/06/2009 : Discovered that the POC file is now detected by the latest Kaspersky
update.
04/06/2009 : Discovered that adding a few bytes evades the engine again.
+5minutes
09/06/2009 : Release of this advisory on the blog, tweet. Hoping for any reaction
prior to sending it to bugtraq
13/06/2009 : Release to Bugtraq et al.
Note (in all fairness): Kaspersky US did acknowledge the receipt of 2 other bugs,
however they couldn't provide any information or any reaction as Moscow simply
didn't answer them.
[1] http://osvdb.org/vendor/1/Kaspersky%20Labs
[2] http://blog.didierstevens.com/2009/05/14/malformed-pdf-documents/
[3] http://blog.didierstevens.com/2008/04/09/quickpost-about-the-physical-and-logical-structure-of-pdf-files/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists