________________________________________________________________________

             From the low-hanging-fruit-department
                  Norman generic evasion (RAR)
________________________________________________________________________

CHEAP Plug :
************
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed
************

Release mode: Coordinated but limited disclosure.
Ref         : [TZO-32-2009] - Norman generic evasion (RAR)
WWW         : http://blog.zoller.lu/2009/06/advisory-norman-generic-evasion-rar.html
Vendor      : http://www.norman.com
Status      : Patched (with decompression engine version 5.99.07)
CVE         : none provided
Credit      : http://www.norman.com/support/security_bulletins/69333/en
OSVDB vendor entry: Norman is not listed as a vendor in OSVDB
Security notification reaction rating : ok
Notification to patch window : 77 days

Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
The vulnerabilities have been fixed in Norman's compression library (NCL) 5.99.07, 
relased on Norman's Internet update servers as an automatic update 03 June 2009. 
This solves the vulnerability for all updated Norman's products except for 
Norman Network Protection

 - Norman Virus Control single user and corporate versions
 - Norman Internet Control
 - Norman Virus Control E-mail plugins
 - Norman Endpoint Protection
 - Norman Secuirty Suite
 - Norman Network Protection
 - Norman Virus Control for Lotus Domino
 - Norman Virus Control for Exchange
 - Norman Virus Control for Linux
 - Norman Virus Control for Novell Netware (FireBreak) 
 - Norman Email Protection
 - Norman Email Protection Appliance
 - Norman Online Protection
 - Norman Virus Control for AMaViS 
 - Norman Virus Control for MIMEsweeper  

 - Third party vendors that use the Engine 
 
 OEM vendors known to use the Norman engine :
 - eeye
 
 

I. Background
~~~~~~~~~~~~~
Quote: "Norman ASA is a world leading company within the field of data security, 
internet protection and analysis tools. Through its SandBox technology 
Norman offers a unique and proactive protection unlike any other 
competitor"


II. Description
~~~~~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at : 
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect
code within the RAR archive. There is no inspection of the content
at all.

III. Impact
~~~~~~~~~~~
The bug results in denying the engine the possibility to inspect
code within the RAR archives. There is no inspection of content
at all.

A general description of the impact and nature of AV Bypasses/evasions
can be read at :  http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html


IV. Disclosure time-line
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
05/03/2009 : Send proof of concept (RAR Size), description the terms under which 
             I cooperate and the planned disclosure date.
                         
             No reply
                         
13/03/2009 : Re-Send proof of concept (RAR Size), indicating this is the last attempt
             to responsible disclose.
                         
14/03/2009 : Norman acknowledges receipt

23/03/2009 : Send proof of concept (RAR Method)

23/03/2009 : Asking for an update for the RAR Size sample

02/04/2009 : Norman confirms reproduction of RAR Method PoC and that they will release
             the patch a.s.a.p
                         
02/04/2009 : Norman promises to get back with release dates/advisory information as soon 
             as they have some firm dates
                                                 
06/04/2009 : Norman confirms reproduction of RAR Headflags PoC                   

20/04/2009 : Norman confirms reproduction of the CAB PoC and that all reported 
             vulnerabilities have been patched internaly.

22/04/2009 : Ask for a list of affected versions/products       
             
             no answer

27/04/2009 : Norman sends in the patched decompression DLL for me to if the patch
             is correct.

28/04/2009 : Send TAR PoC file
             
             no acknowledgement
                         
07/05/2009 : Ask for an update to all reported bugs
  
             no reply

08/05/2009 : Inform Norman that as I no longer receive any replies I assume that 
             the patch is deployed and set that the final disclosure date to 
             the 1.06.2009
                         
09/05/2009 : Norman states they probably can't make the 1/06/2009

09/05/2009 : Propose to postpone disclosure upon request

28/05/2009 : Ask for an update as 01.06.2009 still is set                        

30/05/2009 : Norman asks to postpone the disclosure by a week as they 
             have to finish Q&A

09/06/2009 : Ask norman whether the Q&A has been finished

09/06/2009 : Norman replies the patches where deployed on the 3rd 
             of June.
                     
10/06/2009 : Release of this advisory.