exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Avira Antivirus PDF Evasion

Avira Antivirus PDF Evasion
Posted May 19, 2009
Authored by Thierry Zoller

Avira Antivir suffers from a generic PDF evasion vulnerability.

tags | advisory
SHA-256 | c422cef1fb8f5e6a290025368c6ea7a997667b1917a52175b810af05426a9c05

Avira Antivirus PDF Evasion

Change Mirror Download
________________________________________________________________________

From the low-hanging-fruit-department
Avira Antivir generic PDF evasion of heuristics
________________________________________________________________________

CHEAP Plug :
************
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed!
************

Release mode: Coordinated but limited disclosure.
Ref : [TZO-22-2009] - Avira Antivir generic PDF evasion (heuristics)
WWW : http://blog.zoller.lu/2009/04/advisory-avira-antivir-generic-evasion.html
Vendor : http://www.avira.com
Status : Patched (Engine-Version: AV7 7.9.0.168 / AV8/9: 8.2.0.168)
CVE : none provided
Credit : t.b.a
OSVDB vendor entry: none [1]
Security notification reaction rating : good
Notification to patch window : 10 days

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :
- Avira AntiVir Free
- Avira AntiVir Premium
- Avira AntiVir Premium Security Suite
- Avira AntiVir Professional (Desktop)
- Avira AntiVir Server
- Avira AntiVir Exchange
- Avira AntiVir SharePoint
- Avira AntiVir ISA Server
- Avira AntiVir MIMEsweeper
- Avira AntiVir for KEN! 4
- Avira AntiVir Virus Scan Adapter for SAP NetWeaver®
- Avira AntiVir Professional (Unix)
- Avira AntiVir Server (Unix)
- Avira AntiVir MailGate
- Avira AntiVir WebGate

I. Background
~~~~~~~~~~~~~
Quote: "Avira AntiVir is a reliable free antivirus solution, that constantly
and rapidly scans your computer for malicious programs such as viruses,
Trojans, backdoor programs, hoaxes, worms, dialers etc. Monitors
every action executed by the user or the operating system and reacts
promptly when a malicious program is detected.

The protection experts have numerous company locations throughout
Germany and cultivate partnerships in Europe, Asia and America.
Avira has more than 180 employees at their main office in Tettnang
near Lake Constance and is one of the largest employers in the region.

AV-Comparatives e.V. have chosen Avira AntiVir Premium as the
best anti-virus solution of 2008"


II. Description
~~~~~~~~~~~~~~~
The heuristics can be bypassed by a special formated PDF "container", this
leads to the bypass of malicious PDF files, old or new. This is not a
bypass that relies on archive structures but relies on evading certain
code paths in the av engine "through various means".


III. Impact
~~~~~~~~~~~

To know more about the impact and type of "evasion", I updated the
description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

Interestingly this opens the possibility to evade at scan time and
run-time.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
08/05/2009 : Send proof of concept, description the terms under which
I cooperate and the planned disclosure date.

10/05/2009 : Avira acknowledges receipt.

11/05/2009 : Avira states that the internal development build has been
patched and that the public updates are to be rolled out
end of the week.

18/05/2009 : Avira informs me that "we already released the fixed engine
to the public on friday, 15th May, 17:59 pm CET:
Engine-Version: AV7 7.9.0.168 / AV8/9: 8.2.0.168

18/05/2009 : Release of this advisory.


[1]
Avira is encouraged to leave their security contact details at
http://osvdb.org/vendor/1/AVIRA%20GmbH to facilate communication and reduce lost reports.




Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close