what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

PrivaWall Antivirus Office XML Format Evasion/Bypass

PrivaWall Antivirus Office XML Format Evasion/Bypass
Posted Mar 13, 2012
Authored by Moshe Zioni

PrivaWall Antivirus suffers from an Office XML format evasion / bypass vulnerability. Versions 5.6 and below are affected.

tags | advisory, bypass
SHA-256 | 57c9ab5ac6dd39653d293a5937b5378a8b03f2696525cb2d336fa349b059e84b

PrivaWall Antivirus Office XML Format Evasion/Bypass

Change Mirror Download
PrivaWall Antivirus Office XML Format Evasion/Bypass Vulnerability


Office XML formats are a Microsoft proprietary file format regarding office
documents, spreadsheets etc., otherwise known as Microsoft's Open Document
XML (not to be confused with Office Open XML).

This format, which can be viewed as a hybrid between .doc and .docx formats,
is essentially a .xml file that is identified with the magic number
`<?mso-application` and Microsoft Windows automatically handle it
with the appropriate Microsoft's Office application.
For example, the line '<?mso-application progid="Word.Document"?>' is used to
indicate that the XML should be parsed by Microsoft Word, the format is also
known as WordML.

The vulnerability concerns the incapacity of the scanner engine to
inspect the code within the Open Document XML format.
Consequently, there is no possibility for the antivirus to detect any
malicious file or payload.

The scanner can't identify the file type at all, thus the document can be
used to deliver/deploy any kind of payload, including viruses, trojan files
and other malware without AV prompting and practically evading it.

Consequently, the impact is considered as HIGH.


The vulnerability was found during a Penetration Testing on one of Comsec
Consulting's clients.
The Proof-of-Concept was done by sending several files, containing both
EICAR, and a 'real' arbitrary EXE file embedded (OLE) in a WordML document,
additionally the icon that provide the user an indication of the format is
encoded in .emz and can be modified to seem harmless instead of the default
executable icon that is normally accompanied with a large warning sign by

The issue was responsibly disclosed to vendor, waiting until patch release
before disclosing it publicly.

PrivaWall version 5.6 and below

The vendor published a patch on February, 2012 that is supposed to add the
ability of the engine to inspect Office XML formats.
The recommended fix according to vendor is to apply the patch (version 5.6
Build 2354) and make the appropriate changes to the search engine, that relates
to XML/HTML capabilities.

Moshe Zioni, Senior Information Security Consultant @ Comsec Global Consulting
Login or Register to add favorites

File Archive:

June 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    18 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    0 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    0 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By