what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

F-prot TAR Bypass / Evasion

F-prot TAR Bypass / Evasion
Posted Jun 15, 2009
Authored by Thierry Zoller

The F-prot parsing engine can be bypassed by a specially crafted and formatted TAR archive.

tags | advisory
SHA-256 | dfbeadbf4429aedb4b3293e8587c35d54104a2ec76c6f28051b8946cbab51a94

F-prot TAR Bypass / Evasion

Change Mirror Download
________________________________________________________________________

From the low-hanging-fruit-department
F-prot generic evasion (TAR)
________________________________________________________________________

CHEAP Plug :
************
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed!
************

Release mode: Coordinated but limited disclosure.
Ref : [TZO-33-2009] - F-prot TAR bypass / evasion
WWW : http://blog.zoller.lu/2009/06/advisory-frisk-f-prot-evasion-tar.html
Vendor : http://www.f-prot.com
Status : Current version not patched, next engine version will be patched
CVE : none provided
Credit : Given in the History file
OSVDB vendor entry: none [1]
Security notification reaction rating : better than last time
Notification to patch window : n+1 (no patch for current build)

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products (all versions up to 4.5.0 which is not released yet)
- F-PROT AVES (High: complete bypass of engine)
- F-PROT Antivirus for Windows (unknown)
- F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Exchange (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine)
- F-PROT Milter - for example sendmail (High: complete bypass of engine)
- F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete bypass of engine)
- F-Prot Antivirus for Linux x86 Workstations (unknown)

OEM Partners affected :
- Autentium (all versions)

OEM Partners with unknown status :
- Sendmail, Inc.
- G-Data


I. Background
~~~~~~~~~~~~~
Quote: "FRISK Software International, established in 1993, is one of the
world's leading companies in antivirus research and product development.

FRISK Software produces the hugely popular F-Prot Antivirus products range
offering unrivalled heuristic detection capabilities. In addition to this,
the F-Prot AVES managed online e-mail security service filters away the
nuisance of spam e-mail as well as viruses, worms and other malware that
increasingly clog up inboxes and threaten data security."


II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
TAR archive.

III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect
code within TAR archives. There is no inspection of the content
at all and hence the impossibility to detect malicious code.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
28/04/2009 : Send proof of concept, description the terms under which
I cooperate and the planned disclosure date.

No reply

11/05/2009 : Resending PoC file asking to please reply

20/05/2009 : Frisk replies that it was unable to extract the PoC file with
"tar" and hence see no bypass.

20/05/2009 : Inform Frisk that the PoC extracts fine with Winzip

22/05/2009 : Frisk send a lenghty e-mail re-discussing bypasses/evasions

22/05/2009 : I state that I will not discuss this topic any further, everything
has been said and written multiple times. Either Frisk patches
or they do not.

22/05/2009 : Frisk states that the changes to the parsing code are minor
i.e not relying on the checksum. The patch will be included
in the next releaes candidate 4.5.0 and credit will be given
in the History file

Comment: I give it some time to 4.5.0 to be released.

10/06/2009 : Ask Frisk if 4.5.0 has been released now

no reply

14/06/2009 : Release of this advisory

[1]
F-prot is encouraged to leave their security contact details at http://osvdb.org/vendor/1/Frisk%20Software%20International
to facilate communication and reduce lost reports.



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close