| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <300e76ca-b33b-d876-ef86-bd741f17ba10@zoller.lu>
Date: Tue, 25 Feb 2020 22:24:22 +0100
From: Thierry Zoller <thierry@...ler.lu>
To: fulldisclosure@...lists.org, submissions@...ketstormsecurity.com,
bugtraq@...urityfocus.com
Cc: "soc@...cert.gov" <soc@...cert.gov>, info@...cl.lu
Subject: [FD] [TZO-23-2020] - AVAST Generic Archive Bypass (ZIP)
________________________________________________________________________
From the low-hanging-fruit-department
Avast Generic Malformed Archive Bypass (ZIP GFlag)
________________________________________________________________________
Release mode : Coordinated Disclosure
Ref : [TZO-23-2020] - AVAST Generic Archive Bypass (ZIP)
Vendor : AVAST
Status : Patched - version 12 and newer
CVE : CVE-2020-9399
Blog :
https://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
Twitter : https://twitter.com/thierryzoller
Dislosure Policy: https://caravelahq.com/b/policy/20949
Affected Products
=================
Avast Antivirus Pro Plus
Avast Antivirus Pro
Avast Antivirus für Linux
I. Background
=============
Avast is dedicated to creating a world that provides safety and privacy
for all, no matter who you are, where you are, or how you connect.
Avast is one of the largest security companies in the world using
next-gen technologies to fight cyber attacks in real time. We differ
from other next-gen companies in that we have an immense cloud-based
machine learning engine that receives a constant stream of data from our
hundreds of millions of users, which facilitates learning at
unprecedented speeds and makes our artificial intelligence engine
smarter and faster than anyone else’s.
II. Description
----------------------------
The parsing engine supports the ZIP archive format. The parsing engine
can be bypassed by specifically manipulating an ZIP Archve so that it
can be accessed by an end-user but not the Anti-Virus software. The AV
engine is unable to scan the container and gives the file a "clean"
rating.
I may release further details after all known vulnerable vendors have
patched their engines.
III. Impact
----------------------------
Impacts depends on the contextual use of the product and engine within
the organisation of a customer. Gateway Products (Email, HTTP Proxy etc)
may allow the file through unscanned and give it a clean bill of health.
Server side AV software will not be able to discover any code or sample
contained within this ISO file and it will not raise suspicion even if
you know exactly what you are looking for (Which is for example great to
hide your implants or Exfiltration/Pivot Server).
There is a lot more to be said about this bug class, so rather than bore
you with it in
this advisory I provide a link to my 2009 blog post
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
IV. Patch / Advisory
----------------------------
11.10.2019 - Submission
24.02.2020 - Confirmation by Avast that these have been patched.
"The fix was released in virus definitions 200114-0 (except for very old
program versions 5.x - 11.x where it hasn't been released yet).
So any program (version 12 and newer) with up-to-date virus definitions
has the updated unpacker."
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists