[TZO-30-2009] Kaspersky and the silent patch that wasn't (PDF evasion, forced full disclosure)

From: Thierry Zoller <Thierry@Zoller.lu>
To: bugtraq <bugtraq@securityfocus.com>,info@circl.etat.lu,vuln@secunia.com,cert@cert.org,nvd@nist.gov,cve@mitre.org,full-disclosure@lists.grok.org.uk
Subject: [TZO-30-2009] Kaspersky and the silent patch that wasn't (PDF evasion, forced full disclosure)


                    From the facepalm department
              Kaspersky and the silent fix that wasn't
                            PDF Evasion

Release mode: Forced disclosure
Ref         : [TZO-30-2009] - Kaspersky PDF evasion (Forced disclosure)
WWW         : http://blog.zoller.lu/2009/05/advisory-kaspersky-generic-pdf-evasion.html
Vendor      : http://www.kaspersky.com
Status      : Silent fix that doesn't work - No appropriate patch 
CVE         : none provided
Credit      : none given
OSVDB vendor entry: No [1]

Security notification reaction rating : Catastropic

Not only did the headquarter not answer, they (tried) to patch this
vulnerability silently, only to fail at it. See Timeline.

This is not the first time that Kaspersky did not answer but patched
bugs without credit, advisory or anything. This is however the last 
time I will not disclose, I am no longer part of an entity that tolerates
irresponsible non-disclosure. 

A professional reaction to a vulnerability notification is a way to measure 
the maturity of a vendor in terms of security. Kaspersky is given a grace 
period of two (2) weeks to reply to my notifications. Failure to do so will 
result in details of all the other reported bugs be released in two (2) weeks. 

Notification to patch window : x+n 
Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products (all versions) :
- Kaspersky Internet Security
- Kaspersky Anti-Virus
- Kaspersky Mobile Security
- Kaspersky Small Office Security
- Kaspersky Open Space Security
  - Kaspersky Business Space Security
  - Kaspersky Work Space Security
  - Kaspersky Enterprise Space Security
- Kaspersky Targeted Security
- Kaspersky Anti-Virus for Microsoft ISA Server
- Kaspersky Anti-Virus for Proxy Server
- Kaspersky Anti-Virus for Check Point Firewall-1 
- Kaspersky Anti-Virus for Windows Server
- Kaspersky Anti-Virus for Windows Server Enterprise Edition
- Kaspersky Anti-Virus for Novell NetWare
- Kaspersky Anti-Virus for Linux File Server
- Kaspersky Anti-Virus for Samba Server 
- Kaspersky Security for Microsoft Exchange 2007
- Kaspersky Security for Microsoft Exchange 2003
- Kaspersky Anti-Virus for Lotus Notes/Domino 
- Kaspersky Anti-Virus for Windows Workstation
- Kaspersky Anti-Virus for Linux Workstation 
- Kaspersky Anti-Virus for Linux Mail Server
- Kaspersky Mail Gateway
- Kaspersky Anti-virus for MIMEsweeper 

See notification and disclosure terms for details about this list.

I. Background
Quote: "We develop, produce and distribute information security solutions that 
protect our customers from IT threats and allow enterprises to manage risk. 
We provide products that protect information from viruses, hackers and spam 
for home users and enterprises and offer consulting services and technical 
support. "

II. Description
The PDF files are not parsed correctly, a PDF file starts with the magic
byte "%PDF" and ends with the magic byte "%%EOF", everything in between
those markers is parsed and interpreted. Furthermore PDF files are read from
the bottom to the top. 

Adobe Acrobat nor the FoxitReader care too much about the data that 
comes prior the magic byte, the kaspersky engine does, not only does
it care, it fails to detect the malware inside the PDF file.

I will spare you the details, a PDF file is bascialy a container that 
starts with %PDF and ends with %%EOF.

What follows are the details of this evasion, note this one is generic
and the easiest one, there are plenty more. What you read below is true
as amazing as it might seem, you can't have it more simple.

Example of a malicious PDF file [2]+[3] :

  Malicious content here

Doing :

  Enter stuff here, like random text.
  Malicious content here
This has the result that the malware is no longer being detected. 
Note: Not a single byte of the malware itself been altered, and strictly speaking
the content that represent a PDF file hasn't been changed at all.

This has been tested with several malicious PDF files and represents
a generic evasion of all PDF signatures and heuristics.

Kaspersky was given the PoC file directly through myself and F-Secure,  they
went ahead an patched this by adding a signature for the POC file, adding 
a PE header in front of a PDF file (with a PDF extension) still evades detection
and the exploit still triggers when opening the file with Adobe. Thus the
patch is flawed by design.

III. Impact
The heuristics can be bypassed by a special formated PDF "container", this
leads to the bypass of malicious PDF files, old or new. This is not a 
bypass that relies on archive structures but relies on evading certain 
code paths in the av engine "through various means".

A general description of the impact and nature of AV Bypasses/evasions
can be read at :  http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

Note: Certain vendors confirmed this to bypass their engine at runtime.

IV. Timeline
15/05/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date.
             no reply

xx/05/2009 : F-Secure sends the same sample to Karspersky                        
01/06/2009 : Re-sending the proof of concept, description the terms under which 
             I cooperate and the planned disclosure date.

             no reply
03/06/2009 : F-Secure informs me that the sample was submitted to Kaspersky

03/06/2009 : Informed F-secure to communicate with Kaspersky and please ask 
             them to reply to my notifications.

03/06/2009 : Kaspersky Moscow visits my blog, searches for "AVP" and "Kaspersky". 
             Obviously they received both reports. (see website for pic)

             No reply

04/06/2009 : Discovered that the POC file is now detected by the latest Kaspersky 
04/06/2009 : Discovered that adding a few bytes evades the engine again. 

09/06/2009 : Release of this advisory on the blog, tweet. Hoping for any reaction
             prior to sending it to bugtraq
13/06/2009 : Release to Bugtraq et al.   

Note (in all fairness): Kaspersky US did acknowledge the receipt of 2 other bugs,
however they  couldn't provide any information or any reaction as Moscow simply 
didn't answer them. 
[1] http://osvdb.org/vendor/1/Kaspersky%20Labs
[2] http://blog.didierstevens.com/2009/05/14/malformed-pdf-documents/
[3] http://blog.didierstevens.com/2008/04/09/quickpost-about-the-physical-and-logical-structure-of-pdf-files/

Copyright © 1995-2019 LinuxRocket.net. All rights reserved.