[<prev] [next>] [day] [month] [year] [list]
Message-ID: <941839437.20091027232333@Zoller.lu>
Date: Tue, 27 Oct 2009 23:23:33 +0100
From: Thierry Zoller <Thierry@...ler.lu>
To: bugtraq <bugtraq@...urityfocus.com>,
full-disclosure <full-disclosure@...ts.grok.org.uk>, <info@...cl.etat.lu>,
<vuln@...unia.com>, <cert@...t.org>, <nvd@...t.gov>, <cve@...re.org>
Subject: [G-SEC 48-2009] F-SECURE - Generic PDF detection
bypass
________________________________________________________________________
F-SECURE multiple products - Generic PDF detection bypass
________________________________________________________________________
***********************************************************************
Cheap plug :
If you are interested in client-side vulnerabilities visit HACK.LU
starting tomorrow [28-30 Oct] with :
Workshop:
* Bypassing the Perimeter: Client Side Exploitation - Nitesh Dhanjani,
Billy K Rios
Talks :
* New advances in Office Malware analysis - Frank Boldewin
* PDF Penetration Document Format - Didier Stevens
* Ownage 2.0 - Saumil Shah (who else)
* Malicious PDF origamis strike back - Guillaume Delugré
Frederic Raynal
***********************************************************************
Release mode : Coordinated
Reference : [GSEC-48-2009] - F-Secure generic PDF bypass
WWW : http://www.g-sec.lu/fsecure-pdf-bypass.html
Vendor : http://www.f-secure.com
Status : Patched
CVE : none attributed yet
Credit : tba (probably FSC-2009-3)
Discovered by : Thierry Zoller (G-SEC)
Affected products :
~~~~~~~~~~~~~~~~~~~
- F-Secure Internet Security 2009 and earlier
- F-Secure Anti-Virus 2009 and earlier
- F-Secure Home Server Security 2009
- Solutions based on F-Secure Protection Service for Consumers version 8.00 and earlier
- Solutions based on F-Secure Protection Service for Business - Workstation security version 8.00 and earlier
- Solutions based on F-Secure Protection Service for Business - E-mail and Server security version 8.00 and earlier
- F-Secure Client Security 8.01 and earlier
- F-Secure Anti-Virus for Workstations 8.0 and earlier
- F-Secure Anti-Virus for Windows Servers 8.00 and earlier
- F-Secure Linux Security 7.02 and earlier
- F-Secure Anti-Virus Linux Client Security 5.54 and earlier
- F-Secure Anti-Virus Linux Server Security 5.54 and earlier
- F-Secure Anti-Virus for Linux Servers 4.65
- F-Secure Anti-Virus for Microsoft Exchange 8.00 and earlier
- F-Secure Internet Gatekeeper for Windows 6.61 and earlier
- F-Secure Internet Gatekeeper for Linux 3.02 and earlier
- F-Secure Internet Gatekeeper for Linux Japanese 2.37 and earlier
- F-Secure Anti-Virus for Citrix Servers 7.00 and earlier
- F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier
Patch availability :
~~~~~~~~~~~~~~~~~~~~
Patches distributed through automatic updates
I. Background
~~~~~~~~~~~~~
Quote: "F-Secure offers a broad range of PC and internet security
products made for your home or business, so you will
always be protected. Our internet security, antivirus
and anti-spyware software is trusted by more than 180
internet service providers around the world. Moreover,
with 16 global offices and a presence within more than
100 countries, F-Secure is sure to be there for you and
your security software needs."
II. Description
~~~~~~~~~~~~~~~
Improper parsing of the PDF structure leads to evasion of detection of
malicious PDF documents at scantime and runtime.
This has been tested with several malicious PDF files and represents
a generic evasion of all PDF signatures and heuristics.
General information about evasion/bypasses can be found at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
III. Impact
~~~~~~~~~~~
Known PDF exploits/malware may evade signature detection, 0day exploits
may evade heuristics.
IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD.MM.YYYY
15.05.2009 - Reported to F-Secure
12.07.2009 - Patches deployed automatically, F-Secure waits to
coordinate public disclosure
< waiting for others to patch >
27.10.2009 - G-SEC releases this advisory
About G-SEC
~~~~~~~~~~~
G-SECâ„¢ is a vendor independent luxemburgish led IT security consulting
group. More information available at : http://www.g-sec.lu/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists