________________________________________________________________________

              From the low-hanging-fruit-department
              F-prot generic CAB bypass / evasion
________________________________________________________________________

CHEAP Plug :
************
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed!
************

Release mode: Coordinated but limited disclosure.
Ref         : [TZO-21-2009] - F-prot CAB bypass / evasion
WWW         : http://blog.zoller.lu/2009/04/advisory-f-prot-frisk-cab-bypass.html
Vendor      : http://www.f-prot.com
Status      : Current version not patched, next engine version patched
              Date unknown, vendor doesn't answer any longer.
CVE         : none provided
Credit      : none prodided
OSVDB vendor entry: none [1]
Security notification reaction rating : better thn last time
Notification to patch window : n+1 (no patch for current build)

Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
# F-PROT AVES (High: complete bypass of engine)
# F-PROT Antivirus for Windows (unknown)
# F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine) 
# F-PROT Antivirus for Exchange (High: complete bypass of engine)
# F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine)
# F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine)
# F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine)
# F-PROT Milter - for example sendmail (High: complete bypass of engine)
# F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete bypass of engine)
# F-Prot Antivirus for Linux x86 Workstations (unknown)

OEM Partners affected :
- Autentium  (all)
Command Software Systems, an Authentium company, has been developing and 
selling an antivirus solution utilizing the powerful F-PROT Antivirus 
engine since 1991. 

OEM Partner unknown status :
- Sendmail, Inc.
- G-Data
- 

I. Background
~~~~~~~~~~~~~
Quote: "FRISK Software International, established in 1993, is one of the 
world's leading companies in antivirus research and product development.

FRISK Software produces the hugely popular F-Prot Antivirus products range 
offering unrivalled heuristic detection capabilities. In addition to this, 
the F-Prot AVES managed online e-mail security service filters away the 
nuisance of spam e-mail as well as viruses, worms and other malware that 
increasingly clog up inboxes and threaten data security."


II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
CAB (Filesize) archive. 

III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at : 
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect
code within CAB archives. There is no inspection of the content
at all and hence the impossibility to detect malicious code.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
10/04/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date.
                         
15/04/2009 : FRISK responds that they were unable to find any archive 
                         program that is able to extract the file and that some
             archive programs tested suffer from an integer overflow
                         extracting the file.
                         
15/04/2009 : Inform FRISK that the sample should extract fine.                   
                         
20/04/2009 : FRISK responds that they were unable to find any archive 
                         program that is able to extract the file.
                         
20/04/2009 : Inform FRISK that the sample should extract fine.

22/04/2009 : FRISK responds that they were unable to find any archive 
             program that is able to extract the file. However it will
             be patched nonetheless "being low-priority, it will not be
             added to the 4.4 branch. In other words, the fix will be
             included in the next engine released."

22/04/2009 : Sending FRISK a slightly modified POC (same field, different
             value) that extracts fine and still bypasses the engine. Ask
             vendor to confirm that the new engine catches the POC.
                         
                         No Reply
                         
27/04/2009 : Resending previous mail asking to check whether the patch has
             been effectively closed
                         
             No Reply
                                         
08/05/2009 : Release of this advisory.


[1]
F-prot is encouraged to leave their security contact details at
http://osvdb.org/vendor/1/Frisk%20Software%20International
to facilate communication and reduce lost reports.