what you don't know can hurt you

Bitdefender Generic Malformed Archive Bypass

Bitdefender Generic Malformed Archive Bypass
Posted Jan 14, 2020
Authored by Thierry Zoller

The Bitdefender parsing engine supports the RAR archive format. The parsing engine can be bypassed by specifically manipulating an RAR Archive (Compressed Size) so that it can be accessed by an end-user but not the Anti-Virus software. The AV engine is unable to scan the archive and issues the file a "clean" rating. All Bitdefender Products and Vendors that have licensed the Engine before Dec 12, 2019 are affected.

tags | advisory, virus
MD5 | c3051127930c29478cb249b21d1022b1

Bitdefender Generic Malformed Archive Bypass

Change Mirror Download
________________________________________________________________________

From the low-hanging-fruit-department
Bitdefender Generic Malformed Archive Bypass (RAR Uncompressed Size)
________________________________________________________________________

Release mode : Forced Disclosure (Patch Available)
Ref : [TZO-09-2020] - Bitdefender Malformed Archive bypass
(RAR Uncompressed Size)
Vendor : Bitdefender
Status : Patched (amsiscan.dll >24.0.14.74)
CVE : Reserved 3 CVEs then pulled them back (Although
patching the vulnerability)
Dislosure Policy: https://caravelahq.com/b/policy/20949
Blog :
https://blog.zoller.lu/p/advisory-tzo-09-2020-bitdefender.html
Vendor Advisory : No Advisory issued
Patch release : https://www.bitdefender.com/consumer/support/answer/10690/


Affected Products
=================
All Bitdefender Products and Vendors that have licensed the Engine
before Dec 12 2019. Exact version is unknown as Bitdefender has not made
this public.


Quoting Bitdefender :
"All Bitdefender endpoint solutions (including but not limited to
Bitdefender Total Security,
Bitdefender Antivirus Free Edition, Bitdefender GravityZone) as well as
all products
using our engines."

Consumer:
Bitdefender Premium Security
Bitdefender Total Security 2020
Bitdefender Internet Security 2020
Bitdefender Antivirus Plus 2020
Bitdefender Family Pack 2020
Bitdefender Antivirus for Mac
Bitdefender Mobile Security for Android
Bitdefender Mobile Security for iOS

Enterprise:
Bitdefender Small Office Security
GravityZone Business Security
GravityZone Advanced Business Security
Bitdefender Security for AWS
GravityZone Ultra Security
GravityZone Managed EDR
GravityZone Elite Security
GravityZone Enterprise Security
Security for Virtualized Environments
Security for Endpoints
Security for Mobiles
Security for Exchange
GravityZone Security for Storage

Vulnerable OEM Partners (According to AV-TEST):
Adaware
Bullguard
Vipr
Total360
eScan
emiSoft
G-DATA
Qihoo 360
Quick Heal
TotalDefense
Tencent

I. Background
=================
"Since 2001, Bitdefender innovation has consistently delivered
award-winning security products and threat intelligence for people,
homes, businesses and their devices, networks and cloud services. Today,
Bitdefender is also the provider of choice, used in over 38% of the
world’s security solutions.
Recognized by industry, respected by vendors and evangelized by our
customers, Bitdefender is the cybersecurity company you can trust and
rely on."

II. Description
=================
The parsing engine supports the RAR archive format. The parsing engine
can be bypassed by specifically manipulating an RAR Archive (Compressed
Size) so that it can be accessed by an end-user but not the Anti-Virus
software. The AV engine is unable to scan the archive and issues the
file a "clean" rating.

I may release further details after all known vulnerable vendors have
patched their products.


III. Impact
=================
Impacts depends on the contextual use of the product and engine within
the organisation of a customer. Gateway Products (Email, HTTP Proxy etc)
may allow the file through unscanned and give it a clean bill of health.
Server side AV software will not be able to discover any code or sample
contained within this ISO file and it will not raise suspicion even if
you know exactly what you are looking for (Which is for example great to
hide your implants or Exfiltration/Pivot Server).

There is a lot more to be said about this bug class, so rather than bore
you with it in this advisory I provide a link to my 2009 blog post
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

IV. Patch / Advisory
=================
If you are an enterprise customer I would suggest to reach out to
Bitdefender to discuss how you can be notified about patched
vulnerabilities within their products. Some releases may requires binary
updates that cant be pulled from the auto-update.

amsiscan.dll >24.0.14.74

For Users of the OEM Partners (G-Data, Vipr, etc) I would suggest to get
in contact to ensure these vulnerabilities are patched or not present in
their offering. I would also suggest discussing how you can be made
aware of future patches.

V. Disclosure Timeline
======================

Comments (1)

RSS Feed Subscribe to this comment feed
ducklife

Thank you for sharing. Your blog post is interesting and informative. I think there are many people who like and visit it often, including me.
vinlookup.online

Comment by ducklife
2020-01-15 07:12:23 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

January 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    8 Files
  • 2
    Jan 2nd
    11 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    2 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    18 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    10 Files
  • 10
    Jan 10th
    13 Files
  • 11
    Jan 11th
    2 Files
  • 12
    Jan 12th
    4 Files
  • 13
    Jan 13th
    21 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    12 Files
  • 16
    Jan 16th
    18 Files
  • 17
    Jan 17th
    11 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close