[TZO-18-2009] Mcafee multiple evasions/bypasses (RAR, ZIP)

From: Thierry Zoller <Thierry@Zoller.lu>
To: bugtraq <bugtraq@securityfocus.com>
Subject: [TZO-18-2009] Mcafee multiple evasions/bypasses (RAR, ZIP)


From the low-hanging-fruit-department - Mcafee multiple generic evasions

Release mode: Coordinated but limited disclosure.
Ref         : TZO-182009 - Mcafee multiple generic evasions
WWW         : http://blog.zoller.lu/2009/04/mcafee-multiple-bypassesevasions-ziprar.html
Vendor      : http://www.mcafee.com
Status      : Patched
CVE         : CVE-2009-1348 (provided by mcafee)

Security notification reaction rating : very good
Notification to patch window : +-27 days (Eastern holidays in between)

Disclosure Policy : 

Affected products : 
- McAfee VirusScan Plus 2009
- McAfee Total Protection 2009
- McAfee Internet Security
- McAfee VirusScan USB
- McAfee VirusScan Enterprise
- McAfee VirusScan Enterprise Linux
- McAfee VirusScan Enterprise for SAP
- McAfee VirusScan Enterprise for Storage
- McAfee VirusScan Commandline
- Mcafee SecurityShield for Microsoft ISA Server
- Mcafee Security for Microsoft Sharepoint
- Mcafee Security for Email Servers
- McAfee Email Gateyway
- McAfee Total Protection for Endpoint
- McAfee Active Virus Defense
- McAfee Active VirusScan
It is unkown whether SaaS were affected (tough likely) :
- McAfee Email Security Service
- McAfee Total Protection Service Advanced

I. Background
Quote: "McAfee proactively secures systems and networks from known 
and as yet undiscovered threats worldwide. Home users, businesses, 
service providers, government agencies, and our partners all trust 
our unmatched security expertise and have confidence in our 
comprehensive and proven solutions to effectively block attacks
and prevent disruptions."

II. Description
The parsing engine can be bypassed by a specially crafted and formated
RAR (Headflags and Packsize),ZIP (Filelenght) archive.

III. Impact
A general description of the impact and nature of AV Bypasses/evasions
can be read at : 

The bug results in denying the engine the possibility to inspect
code within RAR and ZIP archives. There is no inspection of the content
at all and hence the impossibility to detect malicious code.

IV. Disclosure timeline
04/04/2009 : Send proof of concept RAR I, description the terms under which 
             I cooperate and the planned disclosure date
06/04/2009 : Send proof of concept RAR II, description the terms under which 
             I cooperate and the planned disclosure date
06/04/2009 : Mcafee acknowledges receipt and reproduction of RAR I, ack
             acknowledges receipt of RARII                       
10/04/2009 : Send proof of concept ZIP I, description the terms under which 
             I cooperate and the planned disclosure date

21/04/2009 : Mcafee provides CVE number CVE-2009-1348 
28/04/2009 : Mcafee informs me that the patch might be released on the 29th
29/04/2009 : Mcafee confirms patch release and provides URL
29/04/2009 : Ask for affected versions

29/04/2009 : Mcafee replies " This issue does affect all vs engine products, including 
             both gateway and endpoint"

Copyright © 1995-2020 LinuxRocket.net. All rights reserved.