______________________________________________________________________ From the low-hanging-fruit-department - Aladdin eSafe bypass/evasion ______________________________________________________________________ Release mode: Forced relaese, vendor has not replied. Ref : TZO-152009 - Aladdin eSafe Generic Evasion WWW : http://blog.zoller.lu/2009/04/aladdin-esafe-generic-evasion-bypass.html Status : Not patched Vendor : http://www.aladdin.com Security notification reaction rating : Catastrophic (vendor visited specific url at my website but has not reacted) Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html If you wonder the about the reasons behind such forced releases please visit: http://blog.zoller.lu/2009/04/dear-thierry-why-are-you-such-arrogant.html Affected products : - t.b.a (Vendor has not reacted, please see below) - probably all versions including gateway solutions As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive and that the test environment mimics the production environment. I. Background ~~~~~~~~~~~~~ Quote: "Aladdin is dedicated to being the leading provider of security services and solutions used to protect digital assets, enable secure business, and maximize the benefits from creating, selling, distributing and using digital content." II. Description ~~~~~~~~~~~~~~~ The parsing engine can be bypassed by a specially crafted and formated archive file. Details are currently witheld due to other vendors that are in process of deploying patches. A professional reaction to a vulnerability notification is a way to measure the maturity of a vendor in terms of security. Aladdin is given a grace period of two (2) weeks to reply to my notification. Failure to do so will result in POC being released in two (2) weeks. Aladdin is advised to leave a specific security contact at [1] in order to simplify getting in contact with them. As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive. III. Impact ~~~~~~~~~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within the archive. There is no inspection of the content at all. IV. Disclosure timeline ~~~~~~~~~~~~~~~~~~~~~~~~~ DD/MM/YYYY 04/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. There is no security adress listed at [1] and hence took previously known security contacts that are known to exist. No reply. 13/04/2009 : Resending. Copied security@xxxxxxxxxx, security@xxxxxxxxxxx secure@xxxxxxxxxxx, secure@xxxxxxxxxx,support@xxxxxxxxxxx, support@xxxxxxxxxx in CC. No reply. 16/04/2009 : Resending specifying this is the last attempt to disclose reponsibly. No reply. 18/04/2009 : Online virus scan service offered to gap the bridge between vendors that don't reply and myself. Aladin was contacted through third party. No reaction 19/04/2009 : Aladdin visited the blog entry that explains the bypasses and impacts. http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html No reaction 27/04/2009 : Release of this limited advisory. [1] http://osvdb.org/vendor/1/Aladdin%20Knowledge%20Systems
