lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1599914746.20091027231908@Zoller.lu>
Date: Tue, 27 Oct 2009 23:19:08 +0100
From: Thierry Zoller <Thierry@...ler.lu>
To: bugtraq <bugtraq@...urityfocus.com>, 
	full-disclosure <full-disclosure@...ts.grok.org.uk>, <info@...cl.etat.lu>, 
	<vuln@...unia.com>, <cert@...t.org>, <nvd@...t.gov>, <cve@...re.org>
Subject: [G-SEC 47-2009] Symantec generic PDF detection
	bypass

________________________________________________________________________

             Symantec multiple products - Generic PDF bypass
________________________________________________________________________

***********************************************************************
Cheap plug :
Speaking of PDF - If you are interested in client-side vulnerabilities
visit HACK.LU starting tomorrow [28-30 Oct] with :

Workshop:
* Bypassing the Perimeter: Client Side Exploitation - Nitesh Dhanjani, 
                                                      Billy K Rios
Talks :
* New advances in Office Malware analysis - Frank Boldewin
* PDF Penetration Document Format - Didier Stevens
* Ownage 2.0 - Saumil Shah (who else)
* Malicious PDF origamis strike back - Guillaume Delugré
                                       Frederic Raynal
***********************************************************************

Release mode: Coordinated
Reference   : [GSEC-47-2009] - Symantec generic PDF bypass
WWW         : http://www.g-sec.lu/symantec-pdf-bypass.html
Vendor      : http://www.symantec.com
Status      : Patched
CVE         : none attributed yet
Credit      : http://tinyurl.com/ygqnlhs
Discovered by : Thierry Zoller (G-SEC)


Affected products : 
~~~~~~~~~~~~~~~~~~~
- Symantec Mail Security for Domino
- Symantec Mail Security for Microsoft Exchange
- Symantec Mail Security for SMTP
- Symantec Brightmail Gateway
- Symantec AntiVirus for Network Attached Storage
- Symantec AntiVirus for Caching
- Symantec AntiVirus for Messaging
- Symantec Protection for SharePoint Servers
- Symantec Protection Suite
- Symantec Scan Engine
- Symantec Client Security
- Symantec Endpoint Protection
- Symantec AntiVirus Corporate Edition
- Norton Internet Security
- Norton 360
- Norton AntiVirus
- Norton Systemworks

Patch availability :
~~~~~~~~~~~~~~~~~~~~
Patches distributed through automatic updates

I. Background
~~~~~~~~~~~~~
Quote: "Symantec helps consumers and organizations secure and 
manage their information-driven world. Our software and services 
protect against more risks at more points, more completely and 
efficiently, enabling confidence wherever information is used or stored."

II. Description
~~~~~~~~~~~~~~~
Improper parsing of the PDF structure leads to evasion of detection of 
malicious PDF documents at scantime and runtime.
  
This has been tested with several malicious PDF files and represents
a generic evasion of all PDF signatures and heuristics.

General information about evasion/bypasses can be found at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

III. Impact
~~~~~~~~~~~
Known PDF exploits/malware may evade signature and heuristic detection, 0day exploits
may evade heuristics.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD.MM.YYYY
01.06.2009 - Reported 
12.06.2009 - "This will be posted to our Symantec Product Security Advisory page
             though we are not identifying these issues as vulnerabilities, it's just
             the best method to disseminate this type of product information"
< waiting for others to patch >
27.10.2009 - G-SEC releases this advisory


About G-SEC
~~~~~~~~~~~
G-SECâ„¢  is  a  vendor independent luxemburgish led IT security consulting
group. More information available at : http://www.g-sec.lu/












_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ