________________________________________________________________________ From the low-hanging-fruit-department Avira Antivir generic RAR,CAB,ZIP,LH evasion ________________________________________________________________________ CHEAP Plug : ************ You are invited to participate in HACK.LU 2009, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu CFP is open, sponsorship is still possible and warmly welcomed! ************ Release mode: Coordinated but limited disclosure. Ref : [TZO-28-2009] - Avira Antivir generic RAR,CAB,ZIP WWW : t.b.a Vendor : http://www.avira.com Status : Patched (Engine-Version: AV7 7.9.0.180 / AV8/9 8.2.0.180) (Re)Discovered : 2005 by froggz, 2007 by Thierry Zoller, 2009 by Roger Mickael (please give appropriate credit - only when notified and pressured under disclosure terms vendors fix these, even if they are known since years. PS this is not exclusive to AVIRA) CVE : none provided Credit : t.b.a OSVDB vendor entry: none [1] Security notification reaction rating : good Notification to patch window : 22 days Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - Avira AntiVir Free - Avira AntiVir Premium - Avira AntiVir Premium Security Suite - Avira AntiVir Professional (Desktop) - Avira AntiVir Server - Avira AntiVir Exchange - Avira AntiVir SharePoint - Avira AntiVir ISA Server - Avira AntiVir MIMEsweeper - Avira AntiVir for KEN! 4 - Avira AntiVir Virus Scan Adapter for SAP NetWeaverŽ - Avira AntiVir Professional (Unix) - Avira AntiVir Server (Unix) - Avira AntiVir MailGate - Avira AntiVir WebGate I. Background ~~~~~~~~~~~~~ Quote: "Avira AntiVir is a reliable free antivirus solution, that constantly and rapidly scans your computer for malicious programs such as viruses, Trojans, backdoor programs, hoaxes, worms, dialers etc. Monitors every action executed by the user or the operating system and reacts promptly when a malicious program is detected." II. Description ~~~~~~~~~~~~~~~ The Anti-virus engine could by bypassed by special crafted files. The root cause was the same for RAR,CAB,ZIP,LH. III. Impact ~~~~~~~~~~~ The engine could be bypassed remotely, the malware was no longer detected. An issue especially with Gateway solutions. To know more about the impact and type of "evasion", I updated the description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html IV. timeline ~~~~~~~~~~~~~~~~~~~~~~~~~ DD/MM/YYYY 07/05/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. 08/05/2009 : Avira replies that "Roger Mickael" reported a similar issues 08/05/2009 : Sent another POC in other formats then reported previously 11/05/2009 : Avira asks for a delay 27/05/2009 : Avira informs me that "please be informed that we've just released the fixed engine files to the public (27th of May, 19:19 pm CET): Engine-Version: AV7 7.9.0.180 / AV8/9 8.2.0.180 29/05/2009 : Release of this advisory. [1] Avira is encouraged to leave their security contact details at http://osvdb.org/vendor/1/AVIRA%20GmbH to facilate communication and reduce lost reports.