[TZO-16-2009] Nod32 CAB bypass/evasion

From: Thierry Zoller <Thierry@Zoller.lu>
To: NTBUGTRAQ <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,bugtraq <bugtraq@securityfocus.com>,full-disclosure <full-disclosure@lists.grok.org.uk>,info@circl.etat.lu,vuln@secunia.com,cert@cert.org,nvd@nist.gov,cve@mitre.org
Subject: [TZO-16-2009] Nod32 CAB bypass/evasion


    From the low-hanging-fruit-department - Nod32 CAB bypass/evasion

Release mode: Coordinated but limited disclosure.
Ref         : TZO-162009 - Nod32 CAB bypass/evasion
WWW         : http://blog.zoller.lu/2009/04/nod32-eset-cab-generic-evasion-limited.html
Status      : No patch, but mitigation recommendations (see below)
Vendor          : http://www.trendmicro.com/       
Security notification reaction rating : Good
Notification to patch time window : 14 days

Disclosure Policy : 

Affected products : 
- ESET Smart Security 4 (update #4036)
- ESET NOD32 Antivirus 4 (update #4036)
- ESET Smart Security 4 Business Edition (update #4036)
- ESET NOD32 Antivirus 4 Business Edition (update #4036)
- ESET NOD32 Antivirus for Exchange Server (update #4036)
- ESET Mail Security  (update #4036)
- ESET NOD32 Antivirus for Lotus Domino Server (update #4036)
- ESET File Security (update #4036)
- ESET Novell Netware (update #4036)
- ESET NOD32 Antivirus for Linux gateway devices (update #4036)

I. Background
ESET develops software solutions that deliver instant, comprehensive protection 
against evolving computer security threats. ESET NOD32 Antivirus, is the flagship
product, consistently achieves the highest accolades in all types of 
comparative testing and is the foundational product that builds 
out the ESET product line to include ESET Smart Security.


II. Description
The parsing engine can be bypassed by a specially crafted and formated
CAB archive. Details are currently witheld due to other vendors that are 
in process of deploying patches.

III. Impact
A general description of the impact and nature of AV Bypasses/evasions
can be read at : 

The bug results in denying the engine the possibility to inspect
code within the CAB archive. There is no inspection of the content
at all.

IV. Disclosure timeline

13/04/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date
                         No reply
17/04/2009 : Resend notification with an indication this will be the last
             attempt to responsibly disclose.
17/04/2009 : Eset acknowledges receipt and previous receipt 

29/04/2009 : Eset informs me that the bug was fixed on the 27th of April
             through and auotmatic update (update #4036)
29/04/2009 : Release of this advisory

Copyright © 1995-2020 LinuxRocket.net. All rights reserved.