________________________________________________________________________ >From the low-hanging-fruit-department - AVG generic ZIP bypass / evasion ________________________________________________________________________ CHEAP Plug : **** You are invited to participate in HACK.LU 2009, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu CFP is open, sponsorship is still possible and warmly welcomed! **** Release mode: Coordinated but limited disclosure. Ref : [TZO-20-2009] - AVG generic ZIP bypass / evasion WWW : http://blog.zoller.lu/2009/04/avg-zip-evasion-bypass.html Vendor : http://www.AVG.com Status : Patched (with engine build 8.5 323) CVE : none provided Credit : t.b.a OSVDB vendor entry: none [1] Security notification reaction rating : good Notification to patch window : +-28 days Comment: Interestingly at AVG, the support department handles the security notification response, which strangely seemed to work out this time. I guess when procedures and awareness are in place it doesn't matter that much. (You loose the "bouncer effect" for irrelevant reports though). I'd recommend to designate one person to be responsible to security related issues, and "train" the others to forward to that person (even in case of doubt if security or not) if you choose to have support department handle security notifications. Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - AVG Anti-Virus Network Edition (prior to engine build 8.5 323) - AVG Internet Security Netzwerk Edition (prior to engine build 8.5 323) - AVG Server Edition für Linux/FreeBSD (prior to engine build 8.5 323) - AVG eMail Server Edition (prior to engine build 8.5 323) - AVG File Server Edition (prior to engine build 8.5 323) - AVG Internet Security SBS Edition (prior to engine build 8.5 323) - AVG Anti-Virus SBS Edition (prior to engine build 8.5 323) - AVG Anti-Virus plus Firewall (prior to engine build 8.5 323) - AVG Anti-Virus (prior to engine build 8.5 323) I. Background ~~~~~~~~~~~~~ Quote: "Founded in 1991, with corporate offices in Europe, the US and the UK, AVG is focused on providing home and business computer users with the most comprehensive and proactive protection against computer security threats. With more than 80 million active users around the world, the AVG family of security software products is distributed globally through resellers and through the Web and supports all major operating systems and platforms." II. Description ~~~~~~~~~~~~~~~ The parsing engine can be bypassed by a specially crafted and formated ZIP (Filelenght) archive. III. Impact ~~~~~~~~~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within RAR and ZIP archives. There is no inspection of the content at all and hence the impossibility to detect malicious code. IV. Disclosure timeline ~~~~~~~~~~~~~~~~~~~~~~~~~ DD/MM/YYYY 10/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. 14/04/2009 : AVG acknowledges reproducibility 14/04/2009 : I inform AVG that this is a security notification not a simple bug report. 15/04/2009 : AVG acknowledges through a second channel 15/04/2009 : AVG informs me that the fix has been made and the code is currently being tested prior to being deployed. 15/04/2009 : Ask second channel AVG contact what versions and products are affected. no reply 07/05/2009 : Ask AVG wether the patches have now been deployed 08/05/2009 : AVG answers that the patches have been deployed 08/05/2009 : Ask AVG what versions have been affected 08/05/2009 : AVG states that "[..]AVG 8.5 build 285 are affected by this issue but the latest release of AVG 8.5 build 323 has resolved the reported issue.[..]" 08/05/2009 : Release of this advisory. [1] Grisoft (AVG) is encouraged to leave their security contact details at http://osvdb.org/vendor/1/Grisoft to facilate communication and reduce lost reports.