Update for the magic byte bug

From: Andrey Bayora (andrey_at_securityelf.org)
Date: 10/26/05

  • Next message: Mandriva Security Team: "MDKSA-2005:197 - Updated unzip packages fix suid, permissions vulnerabilities."
    To: <full-disclosure@lists.grok.org.uk>
    Date: Wed, 26 Oct 2005 21:27:17 +0200
    
    

    UPDATE, October 26, 2005 - Updated list of the vulnerable products.

    Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through
    forged magic byte.

    AUTHOR: Andrey Bayora (www.securityelf.org)

    For more details, screenshots and examples please read my article "The Magic
    of magic byte" at www.securityelf.org . In addition, you will find a sample
    "triple headed" program which has 3 different 'execution entry points',
    depending on the extension of the file (exe, html or eml) - just change the
    extension and the SAME file will be executed by (at least) THREE DIFFERENT
    programs! (thanks to contributing author Wayne Langlois from
    www.diamondcs.com.au).

    DATE: October 25, 2005

    VULNERABLE vendors and software (tested):

    1. ArcaVir 2005 (engine 2005-06-03,vir def 2005-06-27, scanner ver
    2005-03-06, package ver 2005-06-21)
    2. AVG 7 (updates 24 June, ver.7.0.323, virus base 267.8.0/27)
    3. eTrust CA (ver 7.0.1.4, engine 11.9.1, vir sig. 9229)
    4. Dr.Web (v.4.32b, update 27.06.2005)
    5. F-Prot (ver. 3.16c, update 6/24/2005)
    6. Ikarus (latest demo version for DOS)
    7. Kaspersky (update 24 June, ver. 5.0.372)
    8. McAfee Internet Security Suite 7.1.5 (updates 25 June, ver 9.1.08,
    engine 4.4.00, dat 4.0.4519 6/22/2005)
    9. McAfee Corporate (updates 25 June, ver. 8.0.0 patch 10, vir def 4521,
    engine 4400)
    10. Norman ( ver 5.81, engine 5.83.02, update 2005/06/23)
    11. TrendMicro PC-Cillin 2005 (ver 12.0.1244, engine 7.510.1002, pattern
    2.701.00)
    12. TrendMicro OfficeScan (ver7.0, engine 7.510.1002, vir pattern 2.701.00
    6/23/2005)
    13. Panda Titanium 2005 (updates 24 June, ver 4.02.01)
    14. UNA - Ukrainian National Antivirus (ver. 1.83.2.16 kernel v.265)
    15. Sophos 3.91 (engine 2.28.4, virData 3.91)

    UPDATE, October 26, 2005 (based on the www.virustotal.com scan results, view
    the log at http://www.securityelf.org/updmagic.html)

    16. CAT-QuickHeal (ver 8.0)
    17. Fortinet (2.48.0.0)
    18. TheHacker (5.8.4.128)

    IMPORTANT NOTE:
    Similar vulnerability may exist in many other antivirus\anti-spyware desktop
    and gateway products. In addition, various "file filter" solutions may be
    affected as well.

    NOT VULNERABLE vendors and software (tested):

    1. F-Secure (updates 24 June, ver 5.56 b.10450)
    2. Avast (ver. 4.6.655, vir databas 0525-5 06/25/2005)
    3. BitDefender (ver. 8.0.200, update 6/24/2005, engine 7.01934)
    4. ClamWin (ver. 0.86.1, upd 24 June 2005)
    5. NOD32 (updates 24 June, ver 2.50.25, vir database 1.1152)
    6. Symantec Corporate (ver 10.0.0.359, engine 103.0.2.7)
    7. Norton Internet Security 2005 (ver 11.5.6.14)
    8. VBA32 (ver 3.10.4, updates 27.06.2005)
    9. HBEDV Antivir Personal (ver 6.31.00.01, engine 6.31.0.7, vir def
    6.31.0.109 6/24/2005)
    10. Sophos 5 (ver. 5.0.2, vir def 3.93, upd 6/30/2005)
    11. Sophos 3.95 (engine 2.30.4)

    SEVERITY: critical

    DESCRIPTION:

    The problem exists in the scanning engine - in the routine that determines
    the file type. If some file types (file types tested are .BAT, .HTML and
    .EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the beginning,
    then many antivirus programs will be unable to detect the malicious file. It
    will break the normal flow of the antivirus scanning and many existent and
    future viruses will be undetected.

    NOTE: In my test, I used the EXE headers (MZ), but it is possible to use
    other headers (magic byte) that will lead to the same effect.

    ANALYSIS:

    Some file types like .bat, .html and .eml can be properly executed even if
    they have some "unrelated" beginning. For example, in the case of .BAT
    files - it is possible to prepend some "junk" data at the beginning of the
    file without altering correct execution of the batch file. In my tests, I
    used the calc.exe headers (first 120 bytes - middle of the dosstub section)
    to change 5 different files of existing viruses. In addition, the simplest
    test of this vulnerability is to prepend only the magic byte (MZ) to the
    existing malicious file and check if this file is detected by antivirus
    program.

    NOTE, that this is NOT the case where the change of existing virus file
    resulted in the "broken" detection signature (see details and the test logic
    in "The Magic of magic byte" article at www.securityelf.org).

    WORKAROUND:
    I did not found any effective one besides of patching the vulnerable engine.

    CREDITS:
    The idea for this vulnerability came during discussions from Wayne Langlois
    at diamondcs.com.au, who hinted that JPEGs could probably be exploited in
    this way.

    TIME LINE:

    July 13, 2005 - Initial vendor notification
    July 16, 2005 - Second vendor notification
    .....Waiting.....Waiting....
    October 24, 2005 - Public disclosure (uncoordinated) (lack of coordination
    from the vendors side)
    October 26, 2005 - Updated list of the vulnerable products.


  • Next message: Mandriva Security Team: "MDKSA-2005:197 - Updated unzip packages fix suid, permissions vulnerabilities."

    Relevant Pages

    • [Full-disclosure] Update for the magic byte bug
      ... UPDATE, October 26, 2005 - Updated list of the vulnerable products. ... Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through ... NOT VULNERABLE vendors and software: ...
      (Full-Disclosure)
    • Towards a responsible vulnerability process
      ... I work closely with the vulnerability response process at Microsoft, ... vendors" is being hopelessly overly general. ... and not all of them lead to widespread attacks. ...
      (NT-Bugtraq)
    • CERT Advisory CA-2002-10 Format String Vulnerability in rpc.rwalld
      ... A format string vulnerability may permit an intruder to ... execute code with the privileges of the rwall daemon. ... which would trigger the rwall daemon's error message. ... Appendix A contains information provided by vendors for this advisory. ...
      (Cert)
    • CERT Advisory CA-2002-10 Format String Vulnerability in rpc.rwalld
      ... A format string vulnerability may permit an intruder to ... execute code with the privileges of the rwall daemon. ... which would trigger the rwall daemon's error message. ... Appendix A contains information provided by vendors for this advisory. ...
      (Cert)
    • Re: [Full-Disclosure] Microsoft Cries Wolf ( again )
      ... > harmful about a security vulnerability are individuals who wish to exploit ... the harm from a vulnerability increases dramatically ... feeding that info to a vendors might not get the info ...
      (Full-Disclosure)