exploit the possibilities

AVIRA Generic Malformed Container Bypass

AVIRA Generic Malformed Container Bypass
Posted Feb 21, 2020
Authored by Thierry Zoller

The AVIRA parsing engine supports the ISO container format. The parsing engine can be bypassed by specifically manipulating the ISO Archive This leads to the Endpoint ignoring the container and the Gateways to let this file slip through uninspected. Avira does not patch or update their very popular command line scanner that is still available for download on their website. AV Engine versions below 8.3.54.138 are affected.

tags | advisory
advisories | CVE-2020-9320
MD5 | 46ba66f6cda072712c42db3e0f597db6

AVIRA Generic Malformed Container Bypass

Change Mirror Download
________________________________________________________________________

From the low-hanging-fruit-department
AVIRA Generic Malformed Container bypass (ISO Container)
________________________________________________________________________

Release mode : Coordinated disclosure / Vendor does not disclose
CVE : CVE-2020-9320
Ref : [TZO-19-2020] - AVIRA Generic AV Bypass (ISO Container)
Vendor : AVIRA
Status : PATCHED - Engine version 8.3.54.138.
CVE : none provided,
Blog :
https://blog.zoller.lu/p/from-low-hanging-fruit-department-avira.html
Vulnerability Dislosure Policy: https://caravelahq.com/b/policy/20949

Affected Products
=================
AV Engine below 8.3.54.138

All Avira products :
- Avira Antivirus Server
- Avira Antivirus for Endpoint
- Avira Antivirus for Small Business
- Avira Exchange Security (Gateway)
- Avira Internet Security Suite for Windows
- Avira Prime
- Avira Free Security Suite for Windows
- Cross Platform Anti-malware SDK

Attention:
Avira does not patch or update their very popular command line scanner
that is still available for download on their website. Since Avira does
not release and advisory their customers are none the wiser.

Avira licenses it's engine to many OEM Partners. The OEM Partners that
use the Avira Engine may be vulnerable or not. I would advise that you
reach out to the vendors listed below to know whether you are affected
or not. OEM Partners
can reach out to me to retreive the POC in order to test.

AVIRA OEM Partners:
- F-Secure
- Sophos
- Barracude
- Alibaba Cloud Security
- Check Point
- CUJO AI
- TP-Link
- FujiSoft
- AWS
- Rohde and Schwarz
- Careerbuilder
- Huawei
- Dracoon
- Total Availability
- FixMeStick
- APPVISORY
- Tabidus
- Cyren


Source :
https://oem.avira.com/en/partnership/our-partners


I. Background
----------------------------
Quote: "We protect people—like you—across all devices, both directly and
via our OEM partnerships.We provide a wide variety of best-in-class
solutions to enhance your protection, performance,
and online privacy—ranging from antivirus to VPN and cleanup technologies.

A server security should get special attention, as a single employee
might store a malicious file on the network and instantly cause a
cascading damage across the entire organization.
With Avira's solutions for server security you can prevent such
scenarios by protecting your network, data, and web traffic. "

Avira has the Trust Seal or the
http://www.teletrust.de/itsmig/


II. Description
----------------------------
The parsing engine supports the ISO container format. The parsing engine
can be bypassed by specifically manipulating the ISO Archive
This leads to the Endpoint ignoring the container and the Gateways to
let this file slip through uninspected.


III. Impact
----------------------------
It bypasses Avira perimeter defenses and sheduled AV scans.

Impacts depends on the contextual use of the product and engine within
the organisation
of a customer. Gateway Products (Email, HTTP Proxy etc) may allow the
file through unscanned
and give it a clean bill of health. Server side AV software will not be
able to discover
any code or sample contained within this ISO file and it will not raise
suspicion even
if you know exactly what you are looking for (Which is for example great
to hide your implants
or Exfiltration/Pivot Server).

There is a lot more to be said about this bug class, so rather than bore
you with it in
this advisory I provide a link to my 2009 blog post
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

IV. Patch / Advisory
----------------------------
PATCHED - Engine version 8.3.54.138.

V. Disclosure timeline
----------------------------

How Avira handled these reports in 2009 :
https://blog.zoller.lu/2009/04/avira-antivir-generic-cab-bypass.html

28 NOV 2019
Submitted the Vulnerabiltiy Details

04 DEC 2019
AVIRA releases a patch but doesn't inform the public and/or customers.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    2 Files
  • 2
    Mar 2nd
    18 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    12 Files
  • 5
    Mar 5th
    19 Files
  • 6
    Mar 6th
    8 Files
  • 7
    Mar 7th
    1 Files
  • 8
    Mar 8th
    1 Files
  • 9
    Mar 9th
    11 Files
  • 10
    Mar 10th
    15 Files
  • 11
    Mar 11th
    9 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    13 Files
  • 14
    Mar 14th
    10 Files
  • 15
    Mar 15th
    13 Files
  • 16
    Mar 16th
    27 Files
  • 17
    Mar 17th
    15 Files
  • 18
    Mar 18th
    23 Files
  • 19
    Mar 19th
    25 Files
  • 20
    Mar 20th
    10 Files
  • 21
    Mar 21st
    6 Files
  • 22
    Mar 22nd
    1 Files
  • 23
    Mar 23rd
    22 Files
  • 24
    Mar 24th
    15 Files
  • 25
    Mar 25th
    23 Files
  • 26
    Mar 26th
    20 Files
  • 27
    Mar 27th
    15 Files
  • 28
    Mar 28th
    10 Files
  • 29
    Mar 29th
    1 Files
  • 30
    Mar 30th
    18 Files
  • 31
    Mar 31st
    6 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close