[Full-Disclosure] iDEFENSE Security Advisory 10.18.04: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability

idlabs-advisories_at_idefense.com
Date: 10/18/04

  • Next message: james edwards: "Re: [Full-Disclosure] ICMP (was: daily internet traffic report)"
    To: <idlabs-advisories@idefense.com>
    Date: Mon, 18 Oct 2004 11:17:55 -0400
    
    

    Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability

    iDEFENSE Security Advisory 10.18.04
    www.idefense.com/application/poi/display?id=153&type=vulnerabilities
    October 18, 2004

    I. BACKGROUND

    This vulnerability affects multiple anti-virus vendors including McAfee,
    Computer Associates, Kaspersky, Sophos, Eset and RAV.

    II. DESCRIPTION

    Remote exploitation of an exceptional condition error in multiple
    vendors' anti-virus software allows attackers to bypass security
    protections by evading virus detection.

    The problem specifically exists in the parsing of .zip archive headers.
    The .zip file format stores information about compressed files in two
    locations - a local header and a global header. The local header exists
    just before the compressed data of each file, and the global header
    exists at the end of the .zip archive. It is possible to modify the
    uncompressed size of archived files in both the local and global header
    without affecting functionality. This has been confirmed with both
    WinZip and Microsoft Compressed Folders. An attacker can compress a
    malicious payload and evade detection by some anti-virus software by
    modifying the uncompressed size within the local and global headers to
    zero.

    III. ANALYSIS

    Successful exploitation allows remote attackers to pass malicious
    payloads within a compressed archive to a target without being detected.
    Most anti-virus engines have the ability to scan content packaged with
    compressed archives. As such, users with up-to-date anti-virus software
    are more likely to open attachments and files if they are under the
    false impression that the archive was already scanned and found to not
    contain a virus.

    IV. DETECTION

    iDEFENSE has confirmed the existence of this vulnerability in the latest
    versions of the engines provided by McAfee, Computer Associates,
    Kaspersky, Sophos, Eset and RAV. The Vendor Responses section of this
    advisory contains details on the status of specific vendor fixes for
    this issue.

    iDEFENSE has confirmed that the latest versions of the engines provided
    by Symantec, Bitdefender, Trend Micro and Panda are not vulnerable.

    V. WORKAROUND

    Filter all compressed file archives (.zip) at border gateways,
    regardless of content.

    VI. VENDOR RESPONSES

    McAfee
    ------
    "The McAfee scan engine has always been a market leader in detection of
    viruses, worms and Trojans within compressed and archived file formats.
    As such the mechanism used for the detection of such payloads has been
    designed to ensure all archive files are thoroughly scanned at each
    nested level in the file to ensure that all appropriate parts of the
    file are scanned.

    McAfee is aware of a proof of concept exploitation in Zip archive
    payloads where information in the local header part of the archive is
    modified.

    The local header exists just before the compressed data of each file. It
    is possible to modify the uncompressed size of archived files in the
    local header without affecting functionality. Consequently there is the
    potential for a malicious payload to be hidden and avoid anti-virus
    detection by modifying the uncompressed size within the local headers to
    zero.

    The techniques used by McAfee to analyze Zip archives have allowed a
    comprehensive solution for the Zip file format vulnerability to be
    provided to protect customers.

    The latest update for the current 4320 McAfee Anti-Virus Engine DATS
    drivers (Version 4398 released on Oct 13th 2004) further enhances the
    protection afforded to McAfee customers against such potential exploits.

    A DATS Driver update issued in Version 4397 (October 6th 2004) provided
    early protection for the same potential exploit targeted specifically
    for Gateway and Command line scanning.

    If a detection of this type of exploit is found it will trigger the
    message "Found the Exploit-Zip Trojan!" to be displayed.

    Updates for the DAT files mentioned above can be located at the
    following links:

    Home (Retail) Users:
    http://download.mcafee.com/uk/updates/updates.asp

    Business (Enterprise) Users:
    http://www.mcafeesecurity.com/uk/downloads/updates/dat.asp?id=1

    It should be noted that whilst McAfee take the potential for this
    exploit to be used maliciously seriously, to date no evidence of such an
    exploit has been discovered. McAfee has provided additional protection
    through the DATS driver update however with usage of the comprehensive
    suite of anti-virus protection strategies provided by McAfee products,
    MacAfee are confident that this exploit presented no additional threat
    to its customers.

    It should be noted that with McAfee on-access scanning active, such
    modification for malicious purposes to hide payloads only delays
    eventual detection - McAfee on-access detection will detect any payload
    with malicious intent as malware.

    McAfee continues to focus on ensuring that customers receive maximum
    protection and provide a rapid response to all potential vulnerabilities
    thus ensuring customer satisfaction."

    Computer Associates
    -------------------
    "With the assistance of iDEFENSE, Computer Associates has identified a
    medium-risk vulnerability in a shared component of eTrust Antivirus
    which may allow a specially crafted .ZIP file to bypass virus detection.
    A number of CA products embed this technology including solutions from
    eTrust, Brightstor and others.

    Customers are encouraged to visit the CA support web site below for more
    information about this vulnerability, a list of products and platforms
    that are effected, and remediation procedures.
    http://supportconnectw.ca.com/public/ca_common_docs/arclib_vuln.asp.

    At Computer Associates, every reported exposure is handled with the
    utmost urgency. We strive to ensure that no customer is left in a
    vulnerable situation."

    Kaspersky
    ---------
    (09/24/2004)
    "...this bug for scanners based on 3.x-4.x engines will be fixed in next
    (not current) cumulative update.

    For scanners based on new 5.0 engine we recommend you waiting for the
    release of our next maintenance pack. We are going to release it in
    October."

    Sophos
    ------
    No vendor statement provided

    Eset

    ----
    "The vulnerability was caused by the fact that some archive
    compression/decompression software (including Winzip) incorrectly
    handles compressed files with deliberately damaged header fields, thus,
    in-fact, allowing creation of the damaged archive files, that could be
    automatically repaired on the victims computer without notifying the
    user.
    Eset has made appropriate modifications to archive-scanning code to
    handle such kind of archives immediately after receiving notification
    from iDEFENSE. These changes are contained in archive-support module
    version 1.020, released on 16th September 2004 at 21:00 CET. The update
    was available for all clients with Automatic Virus-Signatures Update
    set."
    RAV
    ---
    No vendor response
    VII. CVE INFORMATION
    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    following names to these issues:
    CAN-2004-0932 - McAfee
    CAN-2004-0933 - Computer Associates
    CAN-2004-0934 - Kaspersky
    CAN-2004-0937 - Sophos
    CAN-2004-0935 - Eset
    CAN-2004-0936 - RAV
    These are candidates for inclusion in the CVE list
    (http://cve.mitre.org), which standardizes names for security problems.
    VIII. DISCLOSURE TIMELINE
    09/16/2004  Initial vendor notification
    09/16/2004  iDEFENSE clients notified
    10/18/2004  Coordinated public disclosure
    IX. CREDIT
    The discoverer of this vulnerability wishes to remain anonymous.
    Get paid for vulnerability research
    http://www.idefense.com/poi/teams/vcp.jsp
    X. LEGAL NOTICES
    Copyright (c) 2004 iDEFENSE, Inc.
    Permission is granted for the redistribution of this alert
    electronically. It may not be edited in any way without the express
    written consent of iDEFENSE. If you wish to reprint the whole or any
    part of this alert in any other medium other than electronically, please
    email customerservice@idefense.com for permission.
    Disclaimer: The information in the advisory is believed to be accurate
    at the time of publishing based on currently available information. Use
    of the information constitutes acceptance for use in an AS IS condition.
    There are no warranties with regard to this information. Neither the
    author nor the publisher accepts any liability for any direct, indirect,
    or consequential loss or damage arising from use of, or reliance on,
    this information.
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: james edwards: "Re: [Full-Disclosure] ICMP (was: daily internet traffic report)"

    Relevant Pages