________________________________________________________________________

From the low-hanging-fruit-department - Mcafee multiple generic evasions
________________________________________________________________________

Release mode: Coordinated but limited disclosure.
Ref         : TZO-182009 - Mcafee multiple generic evasions
WWW         : http://blog.zoller.lu/2009/04/mcafee-multiple-bypassesevasions-ziprar.html
Vendor      : http://www.mcafee.com
Status      : Patched
CVE         : CVE-2009-1348 (provided by mcafee)
https://kc.mcafee.com/corporate/index?page=content&id=SB10001&actp=LIST_RECENT

Security notification reaction rating : very good
Notification to patch window : +-27 days (Eastern holidays in between)

Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
- McAfee VirusScan® Plus 2009
- McAfee Total Protection™ 2009
- McAfee Internet Security
- McAfee VirusScan USB
- McAfee VirusScan Enterprise
- McAfee VirusScan Enterprise Linux
- McAfee VirusScan Enterprise for SAP
- McAfee VirusScan Enterprise for Storage
- McAfee VirusScan Commandline
- Mcafee SecurityShield for Microsoft ISA Server
- Mcafee Security for Microsoft Sharepoint
- Mcafee Security for Email Servers
- McAfee Email Gateyway
- McAfee Total Protection for Endpoint
- McAfee Active Virus Defense
- McAfee Active VirusScan
 
It is unkown whether SaaS were affected (tough likely) :
- McAfee Email Security Service
- McAfee Total Protection Service Advanced


I. Background
~~~~~~~~~~~~~
Quote: "McAfee proactively secures systems and networks from known 
and as yet undiscovered threats worldwide. Home users, businesses, 
service providers, government agencies, and our partners all trust 
our unmatched security expertise and have confidence in our 
comprehensive and proven solutions to effectively block attacks
and prevent disruptions."


II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
RAR (Headflags and Packsize),ZIP (Filelenght) archive.

III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at : 
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect
code within RAR and ZIP archives. There is no inspection of the content
at all and hence the impossibility to detect malicious code.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
04/04/2009 : Send proof of concept RAR I, description the terms under which 
             I cooperate and the planned disclosure date
                         
06/04/2009 : Send proof of concept RAR II, description the terms under which 
             I cooperate and the planned disclosure date
                         
06/04/2009 : Mcafee acknowledges receipt and reproduction of RAR I, ack
             acknowledges receipt of RARII                       
                         
10/04/2009 : Send proof of concept ZIP I, description the terms under which 
             I cooperate and the planned disclosure date

21/04/2009 : Mcafee provides CVE number CVE-2009-1348 
                         
28/04/2009 : Mcafee informs me that the patch might be released on the 29th
29/04/2009 : Mcafee confirms patch release and provides URL
             https://kc.mcafee.com/corporate/index?page=content&id=SB10001&actp=LIST_RECENT
                         
29/04/2009 : Ask for affected versions

29/04/2009 : Mcafee replies " This issue does affect all vs engine products, including 
             both gateway and endpoint"