[TZO-31-2009] Ikarus multiple generic evasions (CAB,ZIP,RAR)

From: Thierry Zoller <Thierry@Zoller.lu>
To: bugtraq <bugtraq@securityfocus.com>,info@circl.etat.lu,vuln@secunia.com,cert@cert.org,nvd@nist.gov,cve@mitre.org,full-disclosure@lists.grok.org.uk
Subject: [TZO-31-2009] Ikarus multiple generic evasions (CAB,ZIP,RAR)


                 From the low-hanging-fruit-department
             Ikarus multiple generic evasions (CAB,RAR,ZIP)

CHEAP Plug :
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed

Release mode: Coordinated but limited disclosure.
Ref         : [TZO-31-2009] - Ikarus multiple evasions through CAB,RAR,ZIP
WWW         : http://blog.zoller.lu/2009/06/subscribe-to-rss-feed-in-case-you-are.html (sorry)
Vendor      : http://www.ikarus.at
Status      : Patched (after engine version 1.1.58)
CVE         : none provided
Credit      : t.b.a
OSVDB vendor entry: Ikarus is not listed as a vendor in OSVDB
Security notification reaction rating : good
Notification to patch window : 77 days
Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
-  IKARUS virus utilities  (scan-time)
-  IKARUS myM@ilWall
-  IKARUS Content Wall
-  IKARUS security.proxy

I. Background
Ikarus Software GMBH is an Anti-virus company based in Austria.

II. Description
The parsing engine can be bypassed by a specially crafted and formated
RAR (Headflags and Packsize),ZIP (Filelenght) and CAB (Filesize) archive.

III. Impact
The bug results in denying the engine the possibility to inspect
code within the CAb,RAR,ZIP archives. There is no inspection of content
at all.

A general description of the impact and nature of AV Bypasses/evasions
can be read at :  http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

IV. Disclosure time-line
23/03/2009 : Send proof of concept (ZIP), description the terms under which 
             I cooperate and the planned disclosure date.
04/04/2009 : Send proof of concept (RAR)
07/04/2009 : Ikarus acknowledges receipt, patching Dev builds has begun

10/04/2009 : Resending ZIP PoC

13/04/2009 : Submitting CAB PoC

17/04/2009 : Ikarus demands to delay disclosure

01/05/2009 : Ikarus states that it has started Q&A for the new builds

03/06/2009 : Ikarus informs me that they started deploying the patches/updates
             Credit will be given on a website to come.
09/06/2009 : Release of this advisory.

Copyright © 1995-2019 LinuxRocket.net. All rights reserved.