[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1599914746.20091027231908@Zoller.lu>
Date: Tue, 27 Oct 2009 23:19:08 +0100
From: Thierry Zoller <Thierry@...ler.lu>
To: bugtraq <bugtraq@...urityfocus.com>,
full-disclosure <full-disclosure@...ts.grok.org.uk>, <info@...cl.etat.lu>,
<vuln@...unia.com>, <cert@...t.org>, <nvd@...t.gov>, <cve@...re.org>
Subject: [G-SEC 47-2009] Symantec generic PDF detection
bypass
________________________________________________________________________
Symantec multiple products - Generic PDF bypass
________________________________________________________________________
***********************************************************************
Cheap plug :
Speaking of PDF - If you are interested in client-side vulnerabilities
visit HACK.LU starting tomorrow [28-30 Oct] with :
Workshop:
* Bypassing the Perimeter: Client Side Exploitation - Nitesh Dhanjani,
Billy K Rios
Talks :
* New advances in Office Malware analysis - Frank Boldewin
* PDF Penetration Document Format - Didier Stevens
* Ownage 2.0 - Saumil Shah (who else)
* Malicious PDF origamis strike back - Guillaume Delugré
Frederic Raynal
***********************************************************************
Release mode: Coordinated
Reference : [GSEC-47-2009] - Symantec generic PDF bypass
WWW : http://www.g-sec.lu/symantec-pdf-bypass.html
Vendor : http://www.symantec.com
Status : Patched
CVE : none attributed yet
Credit : http://tinyurl.com/ygqnlhs
Discovered by : Thierry Zoller (G-SEC)
Affected products :
~~~~~~~~~~~~~~~~~~~
- Symantec Mail Security for Domino
- Symantec Mail Security for Microsoft Exchange
- Symantec Mail Security for SMTP
- Symantec Brightmail Gateway
- Symantec AntiVirus for Network Attached Storage
- Symantec AntiVirus for Caching
- Symantec AntiVirus for Messaging
- Symantec Protection for SharePoint Servers
- Symantec Protection Suite
- Symantec Scan Engine
- Symantec Client Security
- Symantec Endpoint Protection
- Symantec AntiVirus Corporate Edition
- Norton Internet Security
- Norton 360
- Norton AntiVirus
- Norton Systemworks
Patch availability :
~~~~~~~~~~~~~~~~~~~~
Patches distributed through automatic updates
I. Background
~~~~~~~~~~~~~
Quote: "Symantec helps consumers and organizations secure and
manage their information-driven world. Our software and services
protect against more risks at more points, more completely and
efficiently, enabling confidence wherever information is used or stored."
II. Description
~~~~~~~~~~~~~~~
Improper parsing of the PDF structure leads to evasion of detection of
malicious PDF documents at scantime and runtime.
This has been tested with several malicious PDF files and represents
a generic evasion of all PDF signatures and heuristics.
General information about evasion/bypasses can be found at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
III. Impact
~~~~~~~~~~~
Known PDF exploits/malware may evade signature and heuristic detection, 0day exploits
may evade heuristics.
IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD.MM.YYYY
01.06.2009 - Reported
12.06.2009 - "This will be posted to our Symantec Product Security Advisory page
though we are not identifying these issues as vulnerabilities, it's just
the best method to disseminate this type of product information"
< waiting for others to patch >
27.10.2009 - G-SEC releases this advisory
About G-SEC
~~~~~~~~~~~
G-SECâ„¢ is a vendor independent luxemburgish led IT security consulting
group. More information available at : http://www.g-sec.lu/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists