________________________________________________________________________ From the low-hanging-fruit-department Bitdefender Generic Malformed Archive Bypass (RAR HOST_OS) ________________________________________________________________________ Release mode : Forced Disclosurea Ref : [TZO-07-2019] - Bitdefender Malformed Archive bypass (RAR HOST_OS) Vendor : Bitdefender Status : Patched (amsiscan.dll >24.0.14.74) CVE : Reserved 3 CVEs then pulled them back (Although patching the vulnerability) Dislosure Policy: https://caravelahq.com/b/policy/20949 Blog : https://blog.zoller.lu/p/tzo-04-2019-bitdefender-malformed.html Vendor Advisory : No Advisory issued Patch release : https://www.bitdefender.com/consumer/support/answer/10690/ Affected Products ================= All Bitdefender Products and Vendors that have licensed the Engine before Dec 12 2019. Exact version is unknown as Bitdefender has not made this public. Quoting Bitdefender : "All Bitdefender endpoint solutions (including but not limited to Bitdefender Total Security, Bitdefender Antivirus Free Edition, Bitdefender GravityZone) as well as all products using our engines." Consumer: Bitdefender Premium Security Bitdefender Total Security 2020 Bitdefender Internet Security 2020 Bitdefender Antivirus Plus 2020 Bitdefender Family Pack 2020 Bitdefender Antivirus for Mac Bitdefender Mobile Security for Android Bitdefender Mobile Security for iOS Enterprise: Bitdefender Small Office Security GravityZone Business Security GravityZone Advanced Business Security Bitdefender Security for AWS GravityZone Ultra Security GravityZone Managed EDR GravityZone Elite Security GravityZone Enterprise Security Security for Virtualized Environments Security for Endpoints Security for Mobiles Security for Exchange GravityZone Security for Storage Vulnerable OEM Partners (According to AV-TEST): Adaware Bullguard Vipr Total360 eScan emiSoft G-DATA Qihoo 360 Quick Heal TotalDefense Tencent I. Background ================= "Since 2001, Bitdefender innovation has consistently delivered award-winning security products and threat intelligence for people, homes, businesses and their devices, networks and cloud services. Today, Bitdefender is also the provider of choice, used in over 38% of the world’s security solutions. Recognized by industry, respected by vendors and evangelized by our customers, Bitdefender is the cybersecurity company you can trust and rely on." II. Description ================= The parsing engine supports the RAR archive format. The parsing engine can be bypassed by specifically manipulating an RAR Archive (HOST_OS) so that it can be accessed by an end-user but not the Anti-Virus software. The AV engine is unable to scan the archive and issues the file a "clean" rating. I may release further details after all known vulnerable vendors have patched their products. III. Impact ================= Impacts depends on the contextual use of the product and engine within the organisation of a customer. Gateway Products (Email, HTTP Proxy etc) may allow the file through unscanned and give it a clean bill of health. Server side AV software will not be able to discover any code or sample contained within this ISO file and it will not raise suspicion even if you know exactly what you are looking for (Which is for example great to hide your implants or Exfiltration/Pivot Server). There is a lot more to be said about this bug class, so rather than bore you with it in this advisory I provide a link to my 2009 blog post http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html IV. Patch / Advisory ================= If you are an enterprise customer I would suggest to reach out to Bitdefender to discuss how you can be notified about patched vulnerabilities within their products. Some releases may requires binary updates that cant be pulled from the auto-update. amsiscan.dll >24.0.14.74 For Users of the OEM Partners (G-Data, Vipr, etc) I would suggest to get in contact to ensure these vulnerabilities are patched or not present in their offering. I would also suggest discussing how you can be made aware of future patches. V. Disclosure Timeline ====================== See Previous Bitdefender disclosures : https://blog.zoller.lu/p/tzo-04-2019-bitdefender-malformed.html