lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 25 Feb 2020 22:24:22 +0100
From: Thierry Zoller <thierry@...ler.lu>
To: fulldisclosure@...lists.org, submissions@...ketstormsecurity.com,
 bugtraq@...urityfocus.com
Cc: "soc@...cert.gov" <soc@...cert.gov>, info@...cl.lu
Subject: [FD] [TZO-23-2020] - AVAST Generic Archive Bypass (ZIP)

________________________________________________________________________

                 From the low-hanging-fruit-department
	     Avast Generic Malformed Archive Bypass (ZIP GFlag)
________________________________________________________________________

Release mode    : Coordinated Disclosure
Ref             : [TZO-23-2020] - AVAST Generic Archive Bypass (ZIP)
Vendor          : AVAST
Status          : Patched - version 12 and newer
CVE             : CVE-2020-9399

Blog            : 
https://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
Twitter         : https://twitter.com/thierryzoller
Dislosure Policy: https://caravelahq.com/b/policy/20949

Affected Products
=================
Avast Antivirus Pro Plus
Avast Antivirus Pro
Avast Antivirus für Linux

I. Background
=============
Avast is dedicated to creating a world that provides safety and privacy 
for all, no matter who you are, where you are, or how you connect.
Avast is one of the largest security companies in the world using 
next-gen technologies to fight cyber attacks in real time. We differ 
from other next-gen companies in that we have an immense cloud-based 
machine learning engine that receives a constant stream of data from our 
hundreds of millions of users, which facilitates learning at 
unprecedented speeds and makes our artificial intelligence engine 
smarter and faster than anyone else’s.


II. Description
----------------------------
The parsing engine supports the ZIP archive format. The parsing engine 
can be bypassed  by specifically manipulating an ZIP Archve so that it 
can be accessed by an end-user but not the Anti-Virus software. The AV 
engine is unable to scan the container and gives  the file a "clean" 
rating.

I may release further details after all known vulnerable vendors have 
patched their engines.


III. Impact
----------------------------
Impacts depends on the contextual use of the product and engine within 
the organisation of a customer. Gateway Products (Email, HTTP Proxy etc) 
may allow the file through unscanned and give it a clean bill of health. 
Server side AV software will not be able to discover any code or sample 
contained within this ISO file and it will not raise suspicion even  if 
you know exactly what you are looking for (Which is for example great to 
hide your implants or Exfiltration/Pivot Server).

There is a lot more to be said about this bug class, so rather than bore 
you with it in
this advisory I provide a link to my 2009 blog post
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

IV. Patch / Advisory
----------------------------
11.10.2019 - Submission
24.02.2020 - Confirmation by Avast that these have been patched.
"The fix was released in virus definitions 200114-0 (except for very old 
program versions 5.x - 11.x where it hasn't been released yet).
So any program (version 12 and newer) with up-to-date virus definitions 
has the updated unpacker."


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists