[TZO-09-2009] Avast bypass / evasion (Limited details)

From: Thierry Zoller <Thierry@Zoller.lu>
To: NTBUGTRAQ <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,bugtraq <bugtraq@securityfocus.com>,full-disclosure <full-disclosure@lists.grok.org.uk>,info@circl.etat.lu,vuln@secunia.com,cert@cert.org,nvd@nist.gov,cve@mitre.org
Subject: [TZO-09-2009] Avast bypass / evasion (Limited details)


    From the low-hanging-fruit-department - AVAST bypass/evasion

Release mode: Forced release, vendor has not replied.
Ref         : TZO-092009 - AVAST Generic Evasion 
WWW         : http://blog.zoller.lu/2009/04/release-mode-forced-release-vendor-has.html
Vendor      : http://www.avast.com
Security notification reaction rating : Catastrophic

Disclosure Policy : 

Affected products : 
- List t.b.a when vendor cooperates (probably all versions)
- Known engine version to be affected - prior and post VPS:090409-0  

As this bug has not been reproduced by the vendor, this limited advisory
relies on the assumption that my tests were conclusive and that the test
environment mimics the production environment.

I. Background
Quote: "Comprehensive network security solution for corporate customers 
certified and tested by ICSA and Checkmark. It provides complete 
server and desktop virus protection."

II. Description
The parsing engine can be bypassed by a specially crafted and formated
RAR archive. Details are currently witheld :

A professional reaction to a vulnerability notification is a way to 
measure the maturity of a vendor in terms of security. AVAST is given 
a grace period of two (2) weeks to reply to my notification. Failure 
to do so will result in POC being released in two (2) weeks. 

AVAST (aswell as others) is advised to leave a specific security contact
at [1] in order to simplify getting in contact with them.

III. Impact
A general description of the impact and nature of AV Bypasses/evasions
can be read at : 

The bug results in denying the engine the possibility to inspect
code within the RAR archive. There is no inspection of the content
at all.

IV. Disclosure timeline

14/03/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date. There is
             no security adress listed at [1] and hence took the industry
             standard security contacts addresses secure@ and security@.
             secure@avast.de, secure@alwil.com, security@alwil.com

             No reply.
10/04/2009 : Resending specifying this is the last attempt to disclose
             reponsibly. This time two known contact adresses that were
             previously used to report vulnerabilities were used:
             secalert@avast.com, vlk@avast.com
             No reply.
17/04/2009 : Release of this advisory and begin of grace period.

[1] http://osvdb.org/vendor/1/ALWIL%20Software

Copyright © 1995-2019 LinuxRocket.net. All rights reserved.