what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

AVG Generic ZIP Bypass

AVG Generic ZIP Bypass
Posted May 10, 2009
Authored by Thierry Zoller

The AVG parsing engine can be bypassed by a specially crafted and formatted ZIP archive.

tags | advisory
SHA-256 | 78ba2d958676f1093de1a3b7ea680a645c2d7465b65693c1fd0ed5118e9ef9fd

AVG Generic ZIP Bypass

Change Mirror Download
________________________________________________________________________

From the low-hanging-fruit-department - AVG generic ZIP bypass / evasion
________________________________________________________________________

CHEAP Plug :
****
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed!
****

Release mode: Coordinated but limited disclosure.
Ref : [TZO-20-2009] - AVG generic ZIP bypass / evasion
WWW : http://blog.zoller.lu/2009/04/avg-zip-evasion-bypass.html
Vendor : http://www.AVG.com
Status : Patched (with engine build 8.5 323)
CVE : none provided
Credit : t.b.a
OSVDB vendor entry: none [1]
Security notification reaction rating : good
Notification to patch window : +-28 days

Comment:
Interestingly at AVG, the support department handles the security
notification response, which strangely seemed to work out this time. I guess when
procedures and awareness are in place it doesn't matter that much.
(You loose the "bouncer effect" for irrelevant reports though). I'd recommend
to designate one person to be responsible to security related issues, and "train"
the others to forward to that person (even in case of doubt if security or not)
if you choose to have support department handle security notifications.



Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :
- AVG Anti-Virus Network Edition (prior to engine build 8.5 323)
- AVG Internet Security Netzwerk Edition (prior to engine build 8.5 323)
- AVG Server Edition für Linux/FreeBSD (prior to engine build 8.5 323)
- AVG eMail Server Edition (prior to engine build 8.5 323)
- AVG File Server Edition (prior to engine build 8.5 323)
- AVG Internet Security SBS Edition (prior to engine build 8.5 323)
- AVG Anti-Virus SBS Edition (prior to engine build 8.5 323)
- AVG Anti-Virus plus Firewall (prior to engine build 8.5 323)
- AVG Anti-Virus (prior to engine build 8.5 323)

I. Background
~~~~~~~~~~~~~
Quote: "Founded in 1991, with corporate offices in Europe, the US
and the UK, AVG is focused on providing home and business computer
users with the most comprehensive and proactive protection against
computer security threats.

With more than 80 million active users around the world, the AVG
family of security software products is distributed globally through
resellers and through the Web and supports all major operating
systems and platforms."


II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
ZIP (Filelenght) archive.

III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect
code within RAR and ZIP archives. There is no inspection of the content
at all and hence the impossibility to detect malicious code.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
10/04/2009 : Send proof of concept, description the terms under which
I cooperate and the planned disclosure date.

14/04/2009 : AVG acknowledges reproducibility

14/04/2009 : I inform AVG that this is a security notification not a simple
bug report.

15/04/2009 : AVG acknowledges through a second channel

15/04/2009 : AVG informs me that the fix has been made and the code is
currently being tested prior to being deployed.

15/04/2009 : Ask second channel AVG contact what versions and products
are affected.

no reply

07/05/2009 : Ask AVG wether the patches have now been deployed

08/05/2009 : AVG answers that the patches have been deployed

08/05/2009 : Ask AVG what versions have been affected

08/05/2009 : AVG states that "[..]AVG 8.5 build 285 are affected by this
issue but the latest release of AVG 8.5 build 323 has
resolved the reported issue.[..]"

08/05/2009 : Release of this advisory.


[1]
Grisoft (AVG) is encouraged to leave their security contact details at
http://osvdb.org/vendor/1/Grisoft to facilate communication and reduce
lost reports.



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close