______________________________________________________________________ From the low-hanging-fruit-department - Avira antivir bypass/evasion ______________________________________________________________________ Release mode: Coordinated but limited disclosure. Ref : TZO-132009 - Avira Antivir evasion CAB WWW : http://blog.zoller.lu/2009/04/avira-antivir-generic-cab-bypass.html Vendor : http://www.avira.com Status : Patched Security notification reaction rating : Good Notification to patch window : 7 days (Eastern holidays in between) Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - Avira AntiVir Free (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir Premium (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir Premium Security Suite (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir Professional (Desktop) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir Server (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir Exchange (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir SharePoint (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir ISA Server (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir MIMEsweeper (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir for KEN! 4 (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir Virus Scan Adapter for SAP NetWeaver® - Avira AntiVir Professional (Unix) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir Server (Unix) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir MailGate (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) - Avira AntiVir WebGate (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148) I. Background ~~~~~~~~~~~~~ Quote: "Avira AntiVir is a reliable free antivirus solution, that constantly and rapidly scans your computer for malicious programs such as viruses, Trojans, backdoor programs, hoaxes, worms, dialers etc. Monitors every action executed by the user or the operating system and reacts promptly when a malicious program is detected. The protection experts have numerous company locations throughout Germany and cultivate partnerships in Europe, Asia and America. Avira has more than 180 employees at their main office in Tettnang near Lake Constance and is one of the largest employers in the region. There are around 250 people employed worldwide whose commitment is continually being confirmed by awards. A significant contribution to protection is the Avira AntiVir Personal which is being used by private users a million times over. AV-Comparatives e.V. have chosen Avira AntiVir Premium as the best anti-virus solution of 2008" II. Description ~~~~~~~~~~~~~~~ The parsing engine can be bypassed by a specially crafted and formated CAB archive. Details are currently witheld due to other vendors that are in process of deploying patches. III. Impact ~~~~~~~~~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within the CAB archive. There is no inspection of the content at all and hence the impossibility to detect malicious code. IV. Disclosure timeline ~~~~~~~~~~~~~~~~~~~~~~~~~ DD/MM/YYYY 10/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date 10/04/2009 : Avira acknowledges receipt and informs me of the eastern holidays in Germany. 16/04/2009 : Asked for update 17/04/2009 : Avira replies the problem is fixed in "AVPack >= 8.1.3.14 7.6.1.19", changes have been made to the sdk in order to allow 3rd party AV vendors that use the engine to reveive more details about the file. 18/04/2009 : Avira informs me that the patch is in production since the 17th of April. AV7 7.9.0.148 / AV8/9: 8.2.0.148 18/04/2009 : Ask for more details about the impact of gateway appliances 23/04/2009 : Avira states that the archive effectively evade the default configuration of Avira AntiVir MailGate and Avira AntiVir WebGate (prior to patch). Future evasions can be blocked by setting "BlockSuspiciousArchive" to yes however this is not enabled by default. 27/04/2009 : Release of this advisory