________________________________________________________________________ From the low-hanging-fruit-department Clamav generic evasion (RAR,CAB,ZIP) ________________________________________________________________________ Shameless plug : ------------------------------------------------------------------------ You are invited to join the 2009 edition of HACK.LU, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu - CFP is open, sponsorship is still possible and warmly welcomed. ------------------------------------------------------------------------ Release mode: Coordinated but limited disclosure. Ref : [TZO-40-2009] - Clamav generic evasion (RAR,CAB,ZIP) WWW : http://blog.zoller.lu/2009/05/advisory-clamav-generic-bypass.html Vendor : http://www.clamav.net & http://www.sourcefire.com/products/clamav Status : Patched (in version 0.95.2) CVE : none provided Credit : Discovered - froggz 2005, Zoller 2007, ROGER Mickael 2009 Security notification reaction rating : good Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - ClamAV below 0.95.2 Affected systems: - MACOSX server, - IBM Secure E-mail Express Solution for System http://www.clamav.net/about/who-use-clamav/ I. Background ~~~~~~~~~~~~~ Quote: "Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library. " II. Description ~~~~~~~~~~~~~~~ The parsing engine can be bypassed by manipulating RAR,ZIP archives in a "certain way" that the Clamav engine cannot extract the content but the end user is able to. III. Impact ~~~~~~~~~~~ To know more about the impact and type of "evasion", I updated the description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html IV. Disclosure timeline ~~~~~~~~~~~~~~~~~~~~~~~~~ DD/MM/YYYY No timeline, nothing particular to note.