________________________________________________________________________

                 From the low-hanging-fruit-department
           Bitdefender Generic Malformed Archive Bypass (BZ2)
________________________________________________________________________

Release mode : Forced Disclosure
Ref         : [TZO-04-2019] - Bitdefender Malformed Archive bypass (BZ2)
Vendor      : Bitdefender
Status      : Patched (amsiscan.dll >24.0.14.74)
CVE         : Issued 3 CVEs then pulled them back (although patching)
Dislosure Policy: https://caravelahq.com/b/policy/20949
Blog            : 
https://blog.zoller.lu/p/tzo-04-2019-bitdefender-malformed.html
Vendor Advisory : No Advisory issued
Patch release   : https://www.bitdefender.com/consumer/support/answer/10690/


Affected Products
=================
All Bitdefender Products and Vendors that have licensed the Engine 
before Dec 12 2019. Exact version is unknown as Bitdefender has not made 
this public.

Quoting Bitdefender :
"All Bitdefender endpoint solutions (including but not limited to 
Bitdefender Total Security, Bitdefender Antivirus Free Edition, 
Bitdefender GravityZone) as well as all products using our engines."

Consumer:
Bitdefender Premium Security
Bitdefender Total Security 2020
Bitdefender Internet Security 2020
Bitdefender Antivirus Plus 2020
Bitdefender Family Pack 2020
Bitdefender Antivirus for Mac
Bitdefender Mobile Security for Android
Bitdefender Mobile Security for iOS

Enterprise:
Bitdefender Small Office Security
GravityZone Business Security
GravityZone Advanced Business Security
Bitdefender Security for AWS
GravityZone Ultra Security
GravityZone Managed EDR
GravityZone Elite Security
GravityZone Enterprise Security
Security for Virtualized Environments
Security for Endpoints
Security for Mobiles
Security for Exchange
GravityZone Security for Storage

Vulnerable OEM Partners (According to AV-TEST):
Adaware
Bullguard
Vipr
Total360
eScan
emiSoft
G-DATA
Qihoo 360
Quick Heal
TotalDefense
Tencent

I. Background
=================
"Since 2001, Bitdefender innovation has consistently delivered 
award-winning security products and threat intelligence for people, 
homes, businesses and their devices, networks and cloud services. Today, 
Bitdefender is also the provider of choice, used in over 38% of the 
world’s security solutions.
Recognized by industry, respected by vendors and evangelized by our 
customers, Bitdefender is  the cybersecurity company you can trust and 
rely on."

II. Description
=================
The parsing engine supports the BZIP archive format. The parsing engine 
can be bypassed by specifically manipulating an BZIP  Archive so that it 
can be accessed by an end-user  but not the Anti-Virus software. The AV 
engine is unable to scan the archive and issues the file a "clean" rating.

I may release further details after all known vulnerable vendors have 
patched their products.


III. Impact
=================
Impacts depends on the contextual use of the product and engine within 
the organisation of a customer. Gateway Products (Email, HTTP Proxy etc) 
may allow the file through unscanned and give it a clean bill of health. 
Server side AV software will not be able to discover  any code or sample 
contained within this ISO file and it will not raise suspicion even  if 
you know exactly what you are looking for (Which is for example great to 
hide your implants or Exfiltration/Pivot Server).

There is a lot more to be said about this bug class, so rather than bore 
you with it in this advisory I provide a link to my 2009 blog post
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

IV. Patch / Advisory
=================
If you are an enterprise customer I would suggest to reach out to 
Bitdefender to discuss how you can be notified about patched 
vulnerabilities within their products. Some releases may requires binary 
updates that cant be pulled from the auto-update.

amsiscan.dll >24.0.14.74

For Users of the OEM Partners (G-Data, Vipr, etc) I would suggest to get 
in contact to ensure these vulnerabilities are patched or not present in 
their offering. I would also suggest discussing how you can be made 
aware of future vulnerabilities.

V. Disclosure Timeline
======================
See here : https://caravelahq.com/b/bitdefender/20876

18 OCT 2019
- Submission of a bypass over a bug bounty platform  that requires 
submitters to agree to an NDA regardless of whether the vulnerability is 
recognised or not.

21 OCT 2019
- Bitdefender validated the report and assigned CVE-2019-17095

23 OCT 2019
"fix was also pushed via update. Can you please check?"

OCT 2019
- Back and forth on whether this qualifies for a bug bounty. Bitdefender 
rep states "In my opinion, we should. It's not an usual engine bypass 
"undetected sample". It's exploiting a vulnerability to bypass the 
engines which, I see as something different. Will provide an official 
answer in the following days."

- I continue submitting more Bitdefender bypasses

28 OCT 2019
- Bitdefender states "We're doing a review of this vector as a whole and 
putting the unpackers
temporarily out of scope until we're done"

05 NOV 2019
- Bitdefender changes its mind "As a rule of thumb, this form of AV 
bypass (corrupting archive headers)
is not and will not be rewardable."

Discussion continue

26 NOV 2019
"Your reports are valid but they will not be treated as vulnerabilities 
or receive a generic fix at the moment (individual fixes may be 
implemented)."

"PS: given that we won't be treating these as vulnerabilities, we're 
pulling back the 3 CVEs  that may have been issued a bit too rashly."

Editors Note: We qualified them as vulnerabilities and in scope of the 
bug bounty, now we changed our mind,
they are valid yes, i.e they bypass the Engine, but they are not 
vulnerabilities.

At this point the Terms I agreed to when signing up to the bug bounty 
platform would prevent me from disclosing or getting any sort of credit.

Hence I decide to take my next report outside the platform and under my 
own terms that can be found here :
https://caravelahq.com/b/policy/20949

OCT 30 2019
- Submitted new GZIP bypass report and sample over my ticketing system 
and under my terms,
outside of the bug bounty platform.

OCT 31 2019
- Bitdefender requests that I reupload the file as they accidently 
deleted it

NOV 5 2019
- I continue to try to talk sense into this by sending a bunch of CVEs, 
reports, papers and presentations about this bug class.
- I notify Bitdefender that "Also, I will stop reporting any further 
vulnerabilities to you under these condiions. I feel like you broke both 
contract and execution in good faith. When are you planning on notifying 
your customers?"

NOV 5 2019
Bitdefender : "While this may change in the future. we're treating these 
types of AV evasion techniques as "won't fix", for now."

NOV 14 2019
- Setting a temporary Disclosure data as per my Policy.
- Asking to confirm the vulnerability or otherwise reply -  No reply.

NOV 21 2019
- Notifying Bitdefender that that in alignement to my policy, .i.e 
having received no updates that I will disclose without further 
coordination.

NOV 26 2019
- Bitdefender issues a bounty for previous reports over the previously 
used bug bounty platform.

DEC 2 2019
- Asking a second time for an upate (Bz2). No reply.

DEC 6 2019
- Last attempt to contact them. Bz2) No reply.

DEC 12 2019
Bitdefender silently fixes the vuln.
"I noticed today the 12/12/2020 that you have deployed a fix for this. 
Do you have any statement or comment
on why you choose to silently fix and give no credit whatsoever ?"

DEC 12 2019
- Tweeted the Hash of the Report
https://twitter.com/thierryzoller/status/1205115141832007680

DEC 13 2019
- Since I received no reply, I reached out to Bitdefender on an old 
thread on the previously used bug bounty platform.
"Have you considered not paying a bounty but giving credit?"
Bitdefender replies "This is literally the first time in 4 years of 
running the bug bounty program when we got "stuck" in a dispute of sorts 
with a researcher. I know what silent patching means and I'm fully aware 
(and against) this type  of lack of transparency. And we also have a 
track record that shows we have absolutely no problem giving credit 
where credit was due. This is just a matter of you and us disagreeing on 
whether this is a vuln or not."

N.B They clearly classified it as a vulnerability weeks before, multiple 
times.

DEC 15 2019
- Reached out to Bitdefender again to ensure there is 0 excuse for 
miscommunication:
"I'd like to make sure there are no misunderstandings if you recognize 
this bug class by either crediting or otherwise than I am happy to 
report any findings here, or outside. If you choose to  continue to fix 
these silently and not even reply to my update requests I am not open in 
doing so. Let me know Bitdefenders' official position on this."

DEC 16 2019
- "You shall be credited in our hall of fame and I'll post about this on 
Twitter."

DEC 24 2019
- Release of this Advisory


Note: The lenght you need to go through in 2019 to report 
vulnerabilities is astounding, it is also astounting to see how bug 
bounty platforms have the potential to be used to silence reports and/or 
researchers. Their terms and usages, introduces a new element and 
dynamic in the researcher / vendor relationship. Is it about time to 
push  an FD culture again ?