[TZO-43-2009] - Clamav generic evasion (CAB)

From: Thierry Zoller <Thierry@Zoller.lu>
To: bugtraq <bugtraq@securityfocus.com>,info@circl.etat.lu,vuln@secunia.com,cert@cert.org,nvd@nist.gov,cve@mitre.org,full-disclosure@lists.grok.org.uk
Subject: [TZO-43-2009] - Clamav generic evasion (CAB)


                From the low-hanging-fruit-department
                    Clamav generic evasion (CAB)

Shameless plug :
You are invited to join the 2009 edition of HACK.LU, a small but 
concentrated luxemburgish security conference.
More information : http://www.hack.lu - CFP is open, sponsorship is
still possible and warmly welcomed.

Release mode: Coordinated but limited disclosure.
Ref         : [TZO-43-2009] - Clamav generic evasion (CAB)
WWW         : http://blog.zoller.lu/2009/05/advisory-clamav-generic-evasion-cab.html 
Vendor      : http://www.clamav.net &
Status      : Patched (in version 0.95.2)
CVE         : none provided
Security notification reaction rating : good

Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
- ClamAV below 0.96

Affected systems:
- MACOSX server,
- IBM Secure E-mail Express Solution for System
Others : http://www.clamav.net/about/who-use-clamav/

I. Background
Quote: "Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, 
designed especially for e-mail scanning on mail gateways. It provides 
a number of utilities including a flexible and scalable multi-threaded
daemon, a command line scanner and advanced tool for automatic 
database updates. The core of the package is an anti-virus engine 
available in a form of shared library. "

II. Description
The parsing engine can be bypassed by manipulating CAB (Filesize) archives 
in a "certain way" that the Clamav engine cannot extract the content but
the end user is able to. 

III. Impact
To know more about the impact and type of "evasion", I updated the 
description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

IV. Disclosure timeline

Nothing particular too note.

Copyright © 1995-2019 LinuxRocket.net. All rights reserved.