________________________________________________________________________ From the low-hanging-fruit-department AVIRA Generic Malformed Container bypass (ISO) ________________________________________________________________________ Release mode : Silent Patch by Avira - Coordinated otherwise Ref : [TZO-01-2019] - AVIRA Generic AV Bypass Vendor : AVIRA Status : Patched (AV Engine above 8.3.54.138) CVE : none provided, silent patch Blog : https://blog.zoller.lu Vulnerability Dislosure Policy: https://caravelahq.com/b/policy/20949 Introduction ============ 10 years ago I took a look at ways to evade AV/DLP Engine detection by using various techniques and released a metric ton of Advisories. 10 years later after multiple CISO type roles I wanted to deep dive again and see how far (or not) the AV industry has reacted to this class of vulnerabilities. These types of evasions are now actively being used in offensive operations [1]. To my surprise with a few exceptions most AV Vendors haven't, in some cases I found the very same vulnerabilities that were patched and disclosed years ago. Worse than that is the fact that some vendors that were very collaborative in 2008/2009 have now started to ignore submissions (until I threaten disclosure) or are trying to argue that generically evading AV detection is not a vulnerability. A lot of exchanges took place on this matter, for instance one vendor argued that this could not be called a vulnerability because it would not impact Integrity, Availability or Confidentiality so it can't possible be a vulnerability. Even more bothering to me is how the bu bounty platform have created a distorted Reporter/Vendor relationship and mostly are executed to the detriment of the customers.I am collecting my experiences and will write a blog post about this phenomenon. There will by many more advisories, hoping that I can finally eradicate this bug class and I don't have to come back to this 10 years from now again. [1] https://www.bleepingcomputer.com/news/security/specially-crafted-zip-files-used-to-bypass-secure-email-gateways/ https://www.techradar.com/news/zip-files-are-being-used-to-bypass-security-gateways Affected Products ================= AV Engine below 8.3.54.138 All Avira products : - Avira Antivirus Server - Avira Antivirus for Endpoint - Avira Antivirus for Small Business - Avira Exchange Security (Gateway) - Avira Internet Security Suite for Windows - Avira Prime - Avira Free Security Suite for Windows - Cross Platform Anti-malware SDK Attention: Avira does not patch or update their very popular command line scanner that is still available for download on their website. Since Avira does not release and advisory their customers are none the wiser. Avira licenses it's engine to many OEM Partners. The OEM Partners that use the Avira Engine may be vulnerable or not. I would advise that you reach out to the vendors listed below to know whether you are affected or not. OEM Partners can reach out to me to retreive the POC in order to test. AVIRA OEM Partners: - F-Secure - Sophos - Barracude - Alibaba Cloud Security - Check Point - CUJO AI - TP-Link - FujiSoft - AWS - Rohde and Schwarz - Careerbuilder - Huawei - Dracoon - Total Availability - FixMeStick - APPVISORY - Tabidus - Cyren Source : https://oem.avira.com/en/partnership/our-partners I. Background ---------------------------- Quote: "We protect people—like you—across all devices, both directly and via our OEM partnerships.We provide a wide variety of best-in-class solutions to enhance your protection, performance, and online privacy—ranging from antivirus to VPN and cleanup technologies. A server security should get special attention, as a single employee might store a malicious file on the network and instantly cause a cascading damage across the entire organization. With Avira's solutions for server security you can prevent such scenarios by protecting your network, data, and web traffic. " Avira has the Trust Seal or the http://www.teletrust.de/itsmig/ II. Description ---------------------------- The parsing engine supports the ISO container format. The parsing engine can be bypassed by specifically manipulating an ISO container so that it can be accessed by an end-user but not the Anti-Virus software. The AV engine is unable to scan the container and gives the file a "clean" rating. I may release the details after all known vulnerable vendors have patched their engines. III. Impact ---------------------------- Impacts depends on the contextual use of the product and engine within the organisation of a customer. Gateway Products (Email, HTTP Proxy etc) may allow the file through unscanned and give it a clean bill of health. Server side AV software will not be able to discover any code or sample contained within this ISO file and it will not raise suspicion even if you know exactly what you are looking for (Which is for example great to hide your implants or Exfiltration/Pivot Server). There is a lot more to be said about this bug class, so rather than bore you with it in this advisory I provide a link to my 2009 blog post http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html IV. Patch / Advisory ---------------------------- I advise customers on scancl.exe (or Unix Variant) to change to another vendor as Avira is apparently no longer maintaining it, and apparently also not warning customers about vulnerabilities Furthermore should be be an enterprise customer of the OEM Partners above I suggest to reach out to the vendor in order to understand whether this flaw was patched downstream in their respective products. I recommend to the amavisd project to warn users of this facts https://gitlab.com/amavis/amavis/blob/master/amavisd.conf In case you have any further questions please direct them to Avira, the above is based on the best of my knowledge and since AVIRA does not release Advisories we are left in the dark as to what they officially recommend. V. Disclosure timeline ---------------------------- How Avira handled these reports in 2009 : https://blog.zoller.lu/2009/04/avira-antivir-generic-cab-bypass.html The below is a summary of 2-3 evasion reports that I have submitted. How Avira handled this one : 15/10/2019 Submitted Proof of Concept 15/10/2019 Avira asks me to send a new POC using "EICAR" (Eicar can only be compressed via forcing special compression mode - I refuse) 22/10/2019 Avira forwards to tech department 25/10/2019 Avira argues that this would be the same as adding a password to the file. "You could achieve the same effect by setting a password on the ZIP Archive, or encrypting the file in any way. This would also make it impossible to scan the file. " 26/10/2019 I reply that Avira offers products that have no on access scanner (Commandline, Gateway Products) and point again to my blog post discussing these common arguments and the overall threat model. Avira replies by basically ignoring the details given above: "We analyzed your report again. After careful consideration we still have to decline your report for multiple reasons. First of all, the product you used in your evaluation (scancl.exe) is no longer supported by Avira and not used as standalone product." Editor Note: Their command line scanner (scancl.exe) is in reality still available on their website as of today and is being used by a massive amount of customers especially as you can easily include it in AMAVIS. It can still be activated via license and AVIRA still recommends customers to install it. https://www.avira.com/documents/products/pdf/es/man_avira_antivir-unix_server_en.pdf (Section 3.5) Avira then shifts the blame to their OEM partners and customers : "Additionally we checked the behavior of our engine on your reported cases. When the engine encounters a corrupted archive, we intentionally do not try to attempt to extract the file and instead report back a warning to the product (As shown in your output). It is up to the integrator of the engine, on how to handle these cases and depends on the security model of the setup." "Our recommendation is to block these files, but as stated before, this is up to the integrators and the specific setup. There are also good reasons not to block these files, while still ensuring the security of our customers. Our AV products for example clients skips these files on scans, because a virus cannot be executed when stored in an archive. As soon as you extract the file, our OnAccess scanner scans the file, and blocks the execution of the file, so that our customers are protected" Editors note: Again ignoring the many products that have no on access scanner or where the on access scanner is not effectively used. "A similar behavior is conducted when scanning encrypted files, or self developed archive types. Both types cannot be scanned, but it would be unwise to block these files in general, since you surely agree, that many encrypted files are not harmful and desired. Please be aware that this reply also applies to your other reports." 28/10/2019 After I reiterated the threat model I get the following reply (Ignoring that their other products can't parse the container either) "Yes we rejected the used application, because it is not designed to be used as standalone product." Editors note: Yet Avira gives guidance on how to configure command line scanners to be used within gateway products as a standalone product (see tech documentation on Vendor website) "Therefore, having a warning that the file is corrupted (as it is) and can't be scanned, is the most secure option." Editors Note : In some cases it is indeed, but that's missing the point of this report. "It then depends, as mentioned in my previous mails, on the integrator of the Engine on how to proceed. For our consumer products for example, the file will be skipped and scanned as soon as an application tries to extract the file with our OnAccess scanner. This is also the default process for encrypted files or own defined, unknown data formats (as you have when you deviate from the ZIP standard)." Editors note: Avira continues to ignore that Avira sells products where on access scanners are not present OR are no efficient. "We have acknowledged that you may publish your report as a blog posting. Please do not mention any names, as this would be against GDPR laws." Editor Note: Somewhere in between this I informed Avira that according the policy I shared I will publish the details effective immediately and no longer coordinate any future vulnerability with Avira. 08/11/2019 I report more bypasses, in order to be able to handle and coordinate these reports I reported to a protected bugtracking platform. Informed Avira and send them the links to the POC. "Is there any other communication possible to disclose vulnerabilities to us in a responsible way? Please feel free to sent us the submissions via email, as all other security researcher are doing. We will not register to any third party bugtracker." Editor note:Note the passive aggressive implicitelypointer to not being reponsible by submitting them all details via a private bugtracker. I inform avira that every other AV vendor is ok to use it and I'd expect them to do so as well as I cant handle 100 of reports in my free time without the proper tooling. "Registering to an external bugtracker is not only very uncommon, but also not aligned to the most respected responsible disclosure policies (e.g. of Google or Microsoft) which inform vendors also via email. Your approach is also not compliant to your own set responsible disclosure policy (Point 2): — When a security contact or other relevant e-mail address has been identified, a vendor initially receives a mail with vulnerability details along with a pre-set disclosure date (usually set to a Wednesday 4 weeks later). — Source: https://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Therefore we would appreciate to receive the details about your findings via email." 11/11/2020 I hence reply : "You have received an email and a disclosure date together with a link on where to find further information. That actually meets the below. Now would you be so kind to actually focus on the matter at hand ? The matter at hand are potential vulnerability reports that are offered to you, for free. " No further reply. 13/11/2019 I am "escalating" to the CTO of Avira as we appear to be connected on Linked in. no reply 16/11/2019 Kind Reminder no reply 20/11/2019 Giving it one last try - a discussion happens. 25/11/2019 Avira security lead contacts me on linkedin. We discuss coordination and disclosure terms/details 28/11/2019 Submit POC 04/12/2019 "The feature was added to the engine version number 8.3.54.138, which we started to ship today at 03:00pm CET." Editor note : Feature.