________________________________________________________________________

                 From the low-hanging-fruit-department
           Bitdefender Generic Malformed Archive Bypass (GZIP)
________________________________________________________________________

Release mode    : Silent Patch
Ref             : [TZO-18-2020] - Bitdefender Malformed Archive bypass 
(GZIP)
Vendor          : Bitdefender
Status          : Patched (Detection was added in engines v7.83650)
CVE             : Reserved 3 CVEs then pulled them back (Although 
patching the vulnerability)
Dislosure Policy: https://caravelahq.com/b/policy/20949
Vendor Advisory : No Advisory issued
Blog            : 
https://blog.zoller.lu/p/release-mode-silent-patch-ref-tzo-18.html
Patch release   : https://www.bitdefender.com/consumer/support/answer/10690/

Vendor statement : "Given that we're not treating them as vulns, they 
won't receive an advisory, and as such, no link"
If you disagree and are a customer, feel free to contact Bitdefender.

More information :
https://blog.zoller.lu/2020/01/a-new-blog-post-since-last-one-in-2013.html

Affected Products
=================
All Bitdefender Products and Vendors that have licensed the Engine 
before Dec 12 2019. Exact version is unknown as Bitdefender has not made 
this public.


Quoting Bitdefender :
"All Bitdefender endpoint solutions (including but not limited to 
Bitdefender Total Security,
Bitdefender Antivirus Free Edition, Bitdefender GravityZone) as well as 
all products
using our engines."

Consumer:
Bitdefender Premium Security
Bitdefender Total Security 2020
Bitdefender Internet Security 2020
Bitdefender Antivirus Plus 2020
Bitdefender Family Pack 2020
Bitdefender Antivirus for Mac
Bitdefender Mobile Security for Android
Bitdefender Mobile Security for iOS

Enterprise:
Bitdefender Small Office Security
GravityZone Business Security
GravityZone Advanced Business Security
Bitdefender Security for AWS
GravityZone Ultra Security
GravityZone Managed EDR
GravityZone Elite Security
GravityZone Enterprise Security
Security for Virtualized Environments
Security for Endpoints
Security for Mobiles
Security for Exchange
GravityZone Security for Storage

Vulnerable OEM Partners (According to AV-TEST):
Adaware
Bullguard
Vipr
Total360
eScan
emiSoft
G-DATA
Qihoo 360
Quick Heal
TotalDefense
Tencent

I. Background
=================
"Since 2001, Bitdefender innovation has consistently delivered 
award-winning security products and threat intelligence for people, 
homes, businesses and their devices, networks and cloud services. Today, 
Bitdefender is also the provider of choice, used in over 38% of the 
world’s security solutions.
Recognized by industry, respected by vendors and evangelized by our 
customers, Bitdefender is  the cybersecurity company you can trust and 
rely on."

II. Description
=================
The parsing engine supports the GZIP archive format. The parsing engine 
can be bypassed by specifically manipulating an GZIP Archive 
(Compression Method) so that it can be accessed by an end-user  but not 
the Anti-Virus software. The AV engine is unable to scan the archive and 
issues the file a "clean" rating.

I may release further details after all known vulnerable vendors have 
patched their products.


III. Impact
=================
Impacts depends on the contextual use of the product and engine within 
the organisation of a customer. Gateway Products (Email, HTTP Proxy etc) 
may allow the file through unscanned and give it a clean bill of health. 
Server side AV software will not be able to discover  any code or sample 
contained within this ISO file and it will not raise suspicion even  if 
you know exactly what you are looking for (Which is for example great to 
hide your implants or Exfiltration/Pivot Server).

There is a lot more to be said about this bug class, so rather than bore 
you with it in this advisory I provide a link to my 2009 blog post
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

IV. Patch / Advisory
=================
If you are an enterprise customer I would suggest to reach out to 
Bitdefender to discuss how you can be notified about patched 
vulnerabilities within their products. Some releases may requires binary 
updates that cant be pulled from the auto-update.

amsiscan.dll >24.0.14.74

For Users of the OEM Partners (G-Data, Vipr, etc) I would suggest to get 
in contact to ensure these vulnerabilities are patched or not present in 
their offering. I would also suggest discussing how you can be made 
aware of future patches.

V. Disclosure Timeline
======================
See Previous Bitdefender disclosures :
https://blog.zoller.lu/p/tzo-04-2019-bitdefender-malformed.html

"Given that we're not treating them as vulns, they won't receive an 
advisory, and as such, no link"