what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Trendmicro RAR/CAB/ZIP Bypass

Trendmicro RAR/CAB/ZIP Bypass
Posted Apr 29, 2009
Authored by Thierry Zoller

The Trendmicro parsing engine can be bypassed by specially crafted and formatted ZIP, RAR, and CAB archives.

tags | advisory
SHA-256 | abed09554259c2e3388a70a248472bb87093766b256b9972dcf7ee400e610a4b

Trendmicro RAR/CAB/ZIP Bypass

Change Mirror Download
______________________________________________________________________

Trendmicro RAR,CAB,ZIP bypass/evasions
______________________________________________________________________

Release mode: Coordinated but limited disclosure.
Ref : TZO-172009 - Trendmicro RAR,CAB,ZIP bypass/evasion
WWW : http://blog.zoller.lu/2009/04/trendmicro-multiple-evasion-and-bypass.html
Status : No patch, but mitigation recommendations for certain
products (see below)
Vendor : http://www.trendmicro.com/
Security notification reaction rating : Good
Notification to patch time window : n+1 days (no patch)

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :

Client-side products
---------------------
These will not be patched, trends reason is that
malware will be detected up on extraction. While this is true for end-user
setups this is not the case if you use such products to scan Fileservers,
Database servers or any server where an enduser does not actively extract
content. The detection is still completely bypassed. In other words you
can no longer assume that RAR,ZIP,CAB (or any other archive) is safe/clean after
a Trendmicro scan with these products .

Hence I can no longer recommend these products for such uses and hence my
recommendation to trend to offer patches, if you use the products in such
environment please contact Trend and ask for a patch.

I applaud Trend however for the time and effort spent with communicating
with me and the transparency presented.

Client-side Impact : Low for usage in End-user scenarios
Client-side Impact : High for usage in fileserver, database scenarios.

1. OfficeScan product suites (All of OfficeScan products)
2. ServerProtect product suite (All products of Server protect)
-ServerProtect for Microsoft Windows/Novell NetWare
-ServerProtect for EMC Celerra
-ServerProtect for NetApp
-Server Protect for Linux
-ServerProtect for Network Appliance Filers

3. Trend Micro Internet Security product suites
(Internet Security Pro, Internet Security, Antivirus+AntiSpyware)
4. Client / Server / Messaging Suite ( The OfficeScan component )
5. Worry Free Business Security - Standard
6. Worry Free Business Security - Advanced ( The security agent component )
7. Worry Free Business Security Hosted
8. Housecall

Gateway products
-----------------
InterScan Web Security Suite product lines and
InterScan Web Protect for ISA
Impact: Detection is evaded but files are quarantined by default
,residual risk of an administrator deblocking a file as there is
no detection of malicious code.

InterScan Messaging Security Appliance
Impact: Detection is evaded but files are quarantined by default
,residual risk of an administrator deblocking a file as there is
no detection of malicious code.

Neatsuite Advanced (combination of InterScan Messaging Security Suite,
InterScan Web Security Suite, ScanMail Suite for Domino or Exchange, and All)

Please see, specific product recommendation

ScanMail for Exchange
Impact: Protection is bypassed by default
After mitigation: Residual risk of an administrator deblocking a
file as there is no detection of malicious code.

Mitigation recommendations from Trend:
1. Set the "Virus Scan > Action > Files outside of scan restriction
Criteria" to any of the secured options. Quarantined entire message
and set to Notify
2. The CAB file will be blocked and the Administrator will
receive the email notification.

ScanMail for Domino Suites
Impact: Protection is bypassed by default, detection is also bypassed after mitigation
but file is quarantined as "non extractable".
After mitigation: Residual risk of an administrator deblocking a
file as there is no detection of malicious code.

Mitigation recommendations from Trend:
1. Open the ScanMail for Domino Configuration database
2. Go to Configurations > Policies
3. Double click on Default Mail Scan
4. Click on Scan Options Tab > Scan Restrictions
5. Put a mark on Exceed extracted file size and set this to either of the much secured action
a. Quarantine
b. Delete
6. Put any of the preferred value to maximum extracted file size
7. Click on Save & Closed


I. Background
~~~~~~~~~~~~~
Quote:"Trend Micro Incorporated is a global leader in network antivirus and Internet content security software and services. Founded in 1988, Trend Micro was a pioneer in secure content and threat management, leading the migration of early virus protection from the desktop to the network server and the Internet gateway. Today, the company continues to advance its comprehensive approach to management of content security threats into the Internet cloud, encompassing information flow beyond the boundaries of the network. With its 24x7 global support operations and dedication to innovative technologies and methodologies, Trend Micro is well positioned to protect its customers against an expanding range of threats that silently endanger business operations, personal information, and property."


II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
ZIP,RAR,CAB archive. Details are currently witheld due to other vendors
that are in process of actually deploying patches.

III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect
code within the CAB archive. There is no inspection of the content
at all.

Trendmicro decided to no patch the evasion bugs and proposed mitigation
recommendations, the reason given is that doing so would somehow increase
the risk of "buffer overflow and BSOD". I am positive that adding more
code and increase detection rates is probably going to increase your chances
to have such flaws but then again, the goal is to catch as much malware
as possible.

This is fine with me as long as customers exactly know what risk they run
or don't run when following such recommendations and why other AV vendors
simply reduce the amount of trusted input to a minimum
i.e (only parse and intepret the bare minium required to extract content
of an archive) instead of giving up. In my point of view the goal of an
Anti-virus program is to detect as much malware as possible.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~

14/03/2009 : Send proof of concept, description the terms under which
I cooperate and the planned disclosure date

No reply

16/03/2009 : Resent

No reply

09/04/2009 : Resending, specigying this is the last attempt at responsible
disclosure.

No reply

13/04/2009 : Resending, specifying this is the last attempt at responsible
disclosure (sic)

13/04/2009 : Trend replies and acknowledges receipt of previous reports.

14/04/2009 : Trend replies that
"1. Scan Engine found that modified packed size is greater than archive
size during scanning corrupted RAR.
2. Scan Engine didn't force to decompress corrupted archive because to
decompress invalid archive could incur unexpected result, for example,
buffer overflow and BSOD.
[..]
4. The risk of decompressing invalid archive is much high than gateway
products pass it when get error code -82 (BAD_ZIP_ERR)"
and
"virus leak should still not occur because once you decompress the archive,
Real-Time scan will still detect the malware once it's extracted out
of the corrupted archive."

"One concern that we see from this point is that Gateway products won't be
able to extract the archive during its scanning phase. (You will have
to manually extract the file for IMSx or IWSx to detect the malware).
However, as stated earlier we cannot force the extraction of corrupted
archives because of other potential issues that could occur.
So a workaround would be to configure your gateway solution to
or block files wherein the scan result is "uncertain" or when the
scan engine returns a specific error code (in this case -82)."


14/04/2009 : Ask trend to reconsider position asuming the files bypass the gateway
appliances.

14/04/2009 : Trend replies with more details clarifying that gateways are configured
to quarantine such files per default.

14/04/2009 : Ask for clarifications as to product ranges and default configurations

14/04/2009 : Trend confirms that the "Gateteway InterScan Messaging 7.0" products are
configured to quaratine these by default and are investigating on the
other default configurations.
"On Trend Micro desktop products, upon testing with the rar and the cab
that you had submitted, the archives will not trigger the scanning
component. However once the files are extracted by winrar, winzip
or any other archiving software they will be detected by the Trend
Micro product before the malicious file can execute."

15/04/2009 : Trendmicro comes back with an detailed list of gateway products and
default configurations

Trend recommends 2 mitigation configurations for Scanmail product ranges

16/04/2009 : Point out that one of these mitigation configurations opens the gateway
to DoS attacks (allow x times the size of compression archive) and ask
for a list of affected products.

23/04/2009 : Trend changes the mitigation recommendation for one of the scanmail products

[..] Taking a short cut in the timeline.

29/04/2009 : Release of this advisory







Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close