what you don't know can hurt you

AVAST Generic Archive Bypass

AVAST Generic Archive Bypass
Posted Feb 26, 2020
Authored by Thierry Zoller

The AVAST parsing engine supports the ZIP archive format. The parsing engine can be bypassed by specifically manipulating a ZIP archive so that it can be accessed by an end-user but not the anti-virus software. The AV engine is unable to scan the container and gives the file a "clean" rating.

tags | advisory, virus
advisories | CVE-2020-9399
MD5 | 2a5619ab4bba5b0d39515674edc6e6b1

AVAST Generic Archive Bypass

Change Mirror Download
________________________________________________________________________

From the low-hanging-fruit-department
Avast Generic Malformed Archive Bypass (ZIP GFlag)
________________________________________________________________________

Release mode : Coordinated Disclosure
Ref : [TZO-23-2020] - AVAST Generic Archive Bypass (ZIP)
Vendor : AVAST
Status : Patched - version 12 and newer
CVE : CVE-2020-9399

Blog :
https://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
Twitter : https://twitter.com/thierryzoller
Dislosure Policy: https://caravelahq.com/b/policy/20949

Affected Products
=================
Avast Antivirus Pro Plus
Avast Antivirus Pro
Avast Antivirus für Linux

I. Background
=============
Avast is dedicated to creating a world that provides safety and privacy
for all, no matter who you are, where you are, or how you connect.
Avast is one of the largest security companies in the world using
next-gen technologies to fight cyber attacks in real time. We differ
from other next-gen companies in that we have an immense cloud-based
machine learning engine that receives a constant stream of data from our
hundreds of millions of users, which facilitates learning at
unprecedented speeds and makes our artificial intelligence engine
smarter and faster than anyone else’s.


II. Description
----------------------------
The parsing engine supports the ZIP archive format. The parsing engine
can be bypassed by specifically manipulating an ZIP Archve so that it
can be accessed by an end-user but not the Anti-Virus software. The AV
engine is unable to scan the container and gives the file a "clean"
rating.

I may release further details after all known vulnerable vendors have
patched their engines.


III. Impact
----------------------------
Impacts depends on the contextual use of the product and engine within
the organisation of a customer. Gateway Products (Email, HTTP Proxy etc)
may allow the file through unscanned and give it a clean bill of health.
Server side AV software will not be able to discover any code or sample
contained within this ISO file and it will not raise suspicion even if
you know exactly what you are looking for (Which is for example great to
hide your implants or Exfiltration/Pivot Server).

There is a lot more to be said about this bug class, so rather than bore
you with it in
this advisory I provide a link to my 2009 blog post
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

IV. Patch / Advisory
----------------------------
11.10.2019 - Submission
24.02.2020 - Confirmation by Avast that these have been patched.
"The fix was released in virus definitions 200114-0 (except for very old
program versions 5.x - 11.x where it hasn't been released yet).
So any program (version 12 and newer) with up-to-date virus definitions
has the updated unpacker."
Login or Register to add favorites

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    2 Files
  • 13
    Jun 13th
    1 Files
  • 14
    Jun 14th
    32 Files
  • 15
    Jun 15th
    34 Files
  • 16
    Jun 16th
    9 Files
  • 17
    Jun 17th
    33 Files
  • 18
    Jun 18th
    11 Files
  • 19
    Jun 19th
    1 Files
  • 20
    Jun 20th
    3 Files
  • 21
    Jun 21st
    2 Files
  • 22
    Jun 22nd
    21 Files
  • 23
    Jun 23rd
    19 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close