[TZO-08-2009] Bitdefender generic bypass/evasion

From: Thierry Zoller <Thierry@Zoller.lu>
To: NTBUGTRAQ <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,bugtraq <bugtraq@securityfocus.com>,full-disclosure <full-disclosure@lists.grok.org.uk>,info@circl.etat.lu,vuln@secunia.com,cert@cert.org,nvd@nist.gov,cve@mitre.org
Cc:
Subject: [TZO-08-2009] Bitdefender generic bypass/evasion
Date:


______________________________________________________________________

  From the low-hanging-fruit-department - Bitdefender bypass/evasion
______________________________________________________________________

Release mode: Coordinated but limited disclosure.
Ref         : TZO-082009 - Bitdefender Evasion CAB
WWW         : http://blog.zoller.lu/2009/04/bitdefender-generic-bypassevasion-cab.html
Vendor      : http://www.bitdefender.com
Security notification reaction rating : Good
Notification to patch window : 1 day (!)

Intersting backround statistics:
Time required to coordinate disclosure and write the advisory: 2 hours
Time required to find the bug : 10 minutes

Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
- Bitdefender Antivirus 2009 (pre update 13/04/2009)
- Bitdefender Internet Security 2009 (pre update 13/04/2009)
- Bitdefender Total Security 2009 (pre update 13/04/2009)
- Bitdefender Small Office Security (pre update 13/04/2009)
- Bitdefender for Fileservers (pre update 13/04/2009)
- Bitdefender for Samba (pre update 13/04/2009)
- Bitdefender for Sharepoint (pre update 13/04/2009)
- Bitdefender Security for Exchange (pre update 13/04/2009)
- Bitdefender Security for Mailservers (pre update 13/04/2009)
- Bitdefender for ISA Servers (pre update 13/04/2009)
- Bitdefender Client security (pre update 13/04/2009)

Bundles:
- BitDefender Business Security (pre update 13/04/2009)
- Bitdefender Antivirus for Unices (pre update 13/04/2009)
- Bitdefender Corporate Security (pre update 13/04/2009)
- Bitdefender SBS Security (pre update 13/04/2009)

I. Background
~~~~~~~~~~~~~
BitDefender\u2122  provides  security  solutions  to  satisfy  the    protection
requirements  of  today's  computing  environment,   delivering   effective
threat management for over 41 million home  and  corporate  users  in  more
than 100 countries. BitDefender, a division of SOFTWIN,   is  headquartered
in Bucharest, Romania and has offices in  Tettnang,   Germany,   Barcelona,
United  Kingdom,   Denmark,   Spain  and  Fort  Lauderdale  (FL),      USA.



II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
CAB archive. Details are currently witheld due to other vendors that are 
in process of deploying patches.

III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at : 
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect
code within the CAB archive. There is no inspection of the content
at all.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
13/04/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date
                         
14/04/2009 : Bitdefender responds that the problem was fixed by an 
             automatic update on the 13/04/2009
                         
16/04/2009 : Asked what product line and version has been affected and
             a CVE number.           

15/04/2009 : Bitdefender states that "All  our  products are affected 
             by this problem. We don't have a CVE number".

17/04/2009 : Release of this advisory





Copyright © 1995-2019 LinuxRocket.net. All rights reserved.