________________________________________________________________________

                From the low-hanging-fruit-department
                 F-prot generic bypass (RAR,ARJ,LHA)
________________________________________________________________________

Shameless plug :
------------------------------------------------------------------------
You are invited to join the 2009 edition of HACK.LU, a small but 
concentrated luxemburgish security conference. 
More information : http://www.hack.lu - CFP is open, sponsorship is still 
possible and warmly welcomed.
------------------------------------------------------------------------

Release mode: Coordinated but limited disclosure.
Ref         : [TZO-34-2009] - F-prot RAR,ARJ,LHA bypass
WWW         : http://blog.zoller.lu/2009/05/advisory-f-prot-generic-evasion-rar.html
Vendor      : http://www.f-prot.com
Status      : Current version not patched, next engine version will be patched
CVE         : none provided
Credit      : Given in the history file
OSVDB vendor entry: none [1]
Security notification reaction rating : good
Notification to patch window : n+1 (no patch for current build)

Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products (all versions below 4.5.0 ) 
- F-PROT AVES (High: complete bypass of engine)
- F-PROT Antivirus for Windows (unknown)
- F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine) 
- F-PROT Antivirus for Exchange (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine)
- F-PROT Milter - for example sendmail (High: complete bypass of engine)
- F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete bypass of engine)
- F-Prot Antivirus for Linux x86 Workstations (unknown)

OEM Partners affected :
- Autentium  (all versions)

OEM Partners with unknown status :
- Sendmail, Inc.
- G-Data


I. Background
~~~~~~~~~~~~~
Quote: "FRISK Software International, established in 1993, is one of the 
world's leading companies in antivirus research and product development.

FRISK Software produces the hugely popular F-Prot Antivirus products range 
offering unrivalled heuristic detection capabilities. In addition to this, 
the F-Prot AVES managed online e-mail security service filters away the 
nuisance of spam e-mail as well as viruses, worms and other malware that 
increasingly clog up inboxes and threaten data security."


II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
RAR archive. 

III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at : 
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect
code within RAR archives. There is no inspection of the content
at all and hence the impossibility to detect malicious code.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
07/05/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date.
        
             No reply

09/05/2009 : Resending PoC file asking to please acknowledge receipt

19/05/2009 : Frisk acks receipt and states that 
             "I have confirmed that this issue is indeed 
              present in F-Prot engine versions 4.4.4 and earlier.  It is not present
              in the 4.5.0 engine, which is the current development version, and is
              scheduled for release in the near future"
                         
20/05/2009 : Ask for patch timeline

22/05/2009 : Frisk states that there will be no patch for versions below 4.5.0
             and that the next version 4.5.0 is not affected (dev build)
                         
             "As a side note, F-PROT 4.4 and older also had a similar issue
             with ARJ and LHA/LZH files - failing to detect the archive if
             it was not at the beginning of the file"

10/06/2009 : Ask Frisk whether 4.5.0 has been released now
                     
             no reply
                         
18/06/2009 : Release of this advisory.

[1]
F-prot is encouraged to leave their security contact details at
http://osvdb.org/vendor/1/Frisk%20Software%20International
to facilate communication and reduce lost reports.