what you don't know can hurt you

IBM / ISS Proventia Evasion

IBM / ISS Proventia Evasion
Posted Apr 2, 2009
Authored by Thierry Zoller

The parsing engine in IBM ISS Proventia can be bypassed by manipulating RAR archives in a certain way that the IBM engine cannot extract the content but the end user is able to.

tags | advisory
MD5 | 499804ac3c33ecd28e2c60afdc56cbe9

IBM / ISS Proventia Evasion

Change Mirror Download
______________________________________________________________________

From the low-hanging-fruit-department - IBM /ISS Proventia evasion
______________________________________________________________________

Release mode: Forced disclosure, no answer from vendor.
Ref : TZO-06-2009-IBM Proventia
WWW : http://blog.zoller.lu/2009/04/ibm-proventia-evasion-limited-details.html
Vendor : http://www.ibm.com
Security notification reaction rating : Catastrophic (see Timeline)

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : IBM Proventia engine (minimum 4.9.0.0.44 20081231
Official Release) other products using the engine are likely to be
affected too. As IBM has not cooperated in any way and I have better
things to do than to test IBM products for free I cannot state all
affected products, if you are an IBM/ISS customer please call IBM
support and request more details.


About this advisory
-------------------
I used to not report bugs publicly where a a vendor - has not reacted
to my notifications - silently patched. I also did not publish
low hanging fruits as they make you look silly in the eyes of your
peers.

Over the past years I had the chace to audit and test a lot of critical
infrastructures that (also) relied on products (and about security
notification from vendors) and have witnessed various ways of setting
up your defenses that make some bugs critical that you'd consider low,
I came to the conclusion that most bugs deserve disclosure.

Please see "Common misconceptions" for more information.

I. Background
~~~~~~~~~~~~~
IBM Internet Security Systems (ISS) offers a comprehensive portfolio
of IT security products and services for organizations of all sizes.

IBM Proventia Network Mail Security System and IBM Proventia
Network Mail Security System Virtual Appliance provide spam
control and preemptive protection for your messaging
infrastructure.

Proventia Network Mail is the only email security solution equipped
with the IBM Intrusion Prevention System (IPS) engine and a behavioral
genotype (SIC!) anti-virus technology, along with remote malware
detection and Sophos signature-based anti-virus.

II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by manipulating RAR archive in
a "certain way" that the IBM engine cannot extract the content but
the end user is able to. Details are currently witheld (see below).

A professional reaction to a vulnerability notification is a way
to measure the maturity of a vendor in terms of security. IBM is
given a grace period of two (2) weeks to reply to my notification.
Failure to do so will resulting in POC being released in two (2)
weeks. If IBM is not aware of how to deal with security notifications
I recommend them to read my security notification response draft on
how to do so at
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

As this bug has not been reproduced by the vendor, this advisory
relies on the assumption that my tests were conclusive.

I would like to thank AV-Tests GMBH for the cooperation.

III. Impact
~~~~~~~~~~~
The bug results in denying the engine the possibility to inspect
code within the RAR archive. While the impact might be low client-
side (as code is inspected upon extraction by the user) the impact
for gateways or AV infrastructure where the archive is not extracted
is considerable. There is no inspection of the content at all, prior
disclosure therefore refered to this class of bugs as Denial of service
(you deny the service of the scan engine for that file) however I
choose to stick the terms of evasion/bypass, being the primary impact
of these types of bugs.

PS. I am aware that there are hundreds of ways to bypass, that however
doesn't make it less of a problem. I am waiting for the day where the
first worm uses these techniques to stay undetected over a longer
period of time, as depending on the evasion a kernel update (engine
update) is necessary and sig updates do not suffice. Resulting in
longer window of exposure - at least for GW solutions. *Must make
confiker reference here*


IV. Common misconceptions about this "bug class"
--------------------------------------------------
- This has the same effect as adding a password to a ZIP file

The scanner denotes files that are passworded, an example is an E-mail
GW scanner that adds "Attachement not scanned" to the subject line or
otherwise indicates that the file was not scanned. This is not the case
with bypasses, in most cases the engine has not inspected the content
at all or has inspected it in a different way.
Additionaly passworded archive files are easily filterable by a content
policy, allowing or denying them.

- This is only an issue with gateway products

Every environment where the archive is not actively extracted by
the end-user is affected. For example, fileservers, databases
etc. pp. Over the years I saw the strangest environments that
were affected by this type of "bug". My position is that customers
deserve better security than this.

- If this is exploited by a worm it will be fixed within minutes.
Some bypasses required modifications in the AV "kernel" and cannot be
fixed with a signature update. As such it would not only take longer
but for those clients that do no push binary updates immediately
increase the window of exposure consistently.

- Behavioral analysis will catch this ?
No, the content is unreadable to the AV engine as such no inspection
whatsoever is possible.

- Evasions are the Cross Site scripting of File formats bugs
Yes.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~

IBM was sent two POC files, an explanation and the disclosure terms
(http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html)

09/03/2009 : Send proof of concept, description the terms under which
I cooperate and the planned disclosure date (23/03/2009)
Note: The security contact adress listed in OSVDB was used.

No reply.

13/03/2009 : Resend email indicating this is the last attempt to
coordinate disclosure

No reply.

23/03/2009 : Send another Report and a second POC

No reply.

02/04/2009 : Publication of a limited detail advisory, grace period of
2 weeks given to IBM prior to full detail advisory.






--
http://secdev.zoller.lu
Thierry Zoller
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close