lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 2 Feb 2012 21:27:13 +0000 (GMT)
From: Michel <kareldjag@...oo.fr>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Multiple vendor antivirus .kz archive format
	evasion/bypass vulnerability.

hello,


Multiple vendor antivirus .kz archive format evasion/bypass vulnerability.


DESCRIPTION

.kz is a proprietary archive format from an Asian editor KuaiZip: http://www.kuaizip.com/en/index.html
This format, similar to lzma, is recent and very rare format type (not supported yet by most common archivers).
By creating a .kz file archive a remote attacker could send a malicious payload within this compressed archive to bypass/evade antivirus protection.
The succesful exploitation of this flaw allows attackers to plant a malicious file on a server or to store unwanted codes (DDOS tools, keyloguers, rootkit etc) on the intranet or any private network without being detected by the antivirus solution.

The vulnerability concerns the incapacity of the scanner engine to inspect the code within the KuaiZip archive.
Consequently, there is no possibility for the antivirus to detect any malicious file or payload on any environment: locally/client side, Mail gateway, web mail, cloud scan etc.

IMPACT AND LIMITATIONS:
As scanners engines do not support this new archive format, and as most antivirus are affected, the impact is a high.
As .kz format is currently only supported by KuaiZip archiver, and as most antivirus will detect the malicious known code once extracted from the archive, therefore the risk of infection is limited.


AFFECTED ANTIVIRUS:
currently most of them! including Norton, Kaspersky, Nod32/Eset, McAfee, Avira...

TESTS AND PoC:

Scans of 2 files on various online multiple antivirus scanners services like Virustotal and Virscan.
Jotti with hackerdefender rootkit: all scanners bypassed (French interface: "Rien trouvé" means "Nothing found" ):

Scanners
[ArcaVir]     
2012-02-02 Rien trouvé
    [Frisk F-Prot Antivirus]     
2012-02-01 Rien trouvé
[Avast! antivirus]     
2012-02-02 Rien trouvé
    [F-Secure Anti-Virus]     
2012-02-02 Rien trouvé
[Grisoft AVG Anti-Virus]     
2012-02-02 Rien trouvé
    [G DATA]     
2012-02-02 Rien trouvé
[Avira AntiVir]     
2012-02-02 Rien trouvé
    [Ikarus]     
2012-02-02 Rien trouvé
[Softwin BitDefender]     
2012-02-02 Rien trouvé
    [Kaspersky Anti-Virus]     
2012-02-02 Rien trouvé
[ClamAV]     
2012-02-02 Rien trouvé
    [Panda Antivirus]     
2012-02-02 Rien trouvé
[CPsecure]     
2012-02-02 Rien trouvé
    [Quick Heal]     
2012-02-02 Rien trouvé
[Dr.Web]     
2012-02-02 Rien trouvé
    [Sophos]     
2012-02-02 Rien trouvé
[Emsisoft Anti-Malware]     
2012-02-02 Rien trouvé
    [VirusBlokAda VBA32]     
2012-02-02 Rien trouvé
[ESET]     
2012-02-02 Rien trouvé
    [VirusBuster]     
2012-02-02 Rien trouvé

http://r.virscan.org/report/dda3f262c01ceb38e08cb67f3109abcd.html
http://r.virscan.org/report/6614b0d24738fe1f0b87e4d26588e9aa.html
https://www.virustotal.com/file/87b99979701e12e5a349a8875e145bbf46157272a07dde149ddbd0d0c347746c/analysis/1328206676/
http://virusscan.jotti.org/fr/scanresult/20295e6bca35855fbac9ffb3490d234787e2d773
http://virusscan.jotti.org/fr/scanresult/ac117935136f362f6167bf6f14b1fe3dba7bfe12


Local scan on 3 different PC with 3 different installed antivirus (latest version):
Kaspersky antivirus 2012, Avira free, Avast free: all vulnerable.

The two files are two .kz archives: an eicar test file for the first one (eicar.com) and HackerDefender rootkit for the second one.

A package of the test files and local scans screenshots can be found here (click on "telecharger ce fichier"):
http://dl.free.fr/kAPjT6Gs4


NB: It's a .kz archive :) to prevent your antivirus to download the file!
KuaiZip required for extraction!



VENDORS RESPONSE:

Currently only 2 vendors have been contacted: Kaspersky and FSB labs, mostly because their developpers are in mail contacts.
kareldjag(dog)yahoo.fr


Regards
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists