[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 577/04 - iDEFENSE Security Advisory 10.18.04 - Multiple Vendor Anti-Virus Software Detection



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 577/04 dated 19.10.04  Time: 11:15  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

iDEFENSE Security Advisory 10.18.04 - Multiple Vendor Anti-Virus Software Detection 
Evasion Vulnerability


Detail
====== 

Remote exploitation of an exceptional condition error in multiple vendors' anti-virus 
software allows attackers to bypass security protections by evading virus detection.
The problem specifically exists in the parsing of .zip archive headers. The .zip file 
format stores information about compressed files in two locations - a local header and 
a global header. The local header exists just before the compressed data of each file, 
and the global header exists at the end of the .zip archive. It is possible to modify 
the uncompressed size of archived files in both the local and global header without 
affecting functionality. This has been confirmed with both WinZip and Microsoft 
Compressed Folders. An attacker can compress a malicious payload and evade detection 
by some anti-virus software by modifying the uncompressed size within the local and 
global headers to zero.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                       
                    iDEFENSE Security Advisory 10.18.04
    Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability
                              19 October 2004

===========================================================================

        

Product:                McAfee Antivirus
                        Computer Associates Antivirus
                        Kaspersky Antivirus
                        Sophos Antivirus
                        Eset Antivirus
                        RAV
Publisher:              iDEFENSE
Impact:                 Reduced Security
Access:                 Remote/Unauthenticated
CVE Names:              CAN-2004-0937 CAN-2004-0936 CAN-2004-0935
                        CAN-2004-0934 CAN-2004-0933 CAN-2004-0932 Original Bulletin URL:  
				http://www.idefense.com/application/poi/display?id=153

- - --------------------------BEGIN INCLUDED TEXT--------------------

Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability

iDEFENSE Security Advisory 10.18.04 
www.idefense.com/application/poi/display?id=153&type=vulnerabilities
October 18, 2004

I. BACKGROUND

This vulnerability affects multiple anti-virus vendors including McAfee, 
Computer Associates, Kaspersky, Sophos, Eset and RAV.

II. DESCRIPTION

Remote exploitation of an exceptional condition error in multiple vendors' 
anti-virus software allows attackers to bypass security protections by evading 
virus detection.

The problem specifically exists in the parsing of .zip archive headers. The .zip 
file format stores information about compressed files in two locations - a local 
header and a global header. The local header exists just before the compressed 
data of each file, and the global header exists at the end of the .zip archive. 
It is possible to modify the uncompressed size of archived files in both the local 
and global header without affecting functionality. This has been confirmed with 
both WinZip and Microsoft Compressed Folders. An attacker can compress a malicious 
payload and evade detection by some anti-virus software by modifying the uncompressed 
size within the local and global headers to zero.

III. ANALYSIS

Successful exploitation allows remote attackers to pass malicious payloads within a 
compressed archive to a target without being detected. Most anti-virus engines have 
the ability to scan content packaged with compressed archives. As such, users with 
up-to-date anti-virus software are more likely to open attachments and files if they 
are under the false impression that the archive was already scanned and found to not 
contain a virus.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in the latest versions 
of the engines provided by McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. 
The Vendor Responses section of this advisory contains details on the status of specific 
vendor fixes for this issue.

iDEFENSE has confirmed that the latest versions of the engines provided by Symantec, 
Bitdefender, Trend Micro and Panda are not vulnerable.

V. WORKAROUND

Filter all compressed file archives (.zip) at border gateways, regardless of content.

VI. VENDOR RESPONSES

McAfee
- - ------
"The McAfee scan engine has always been a market leader in detection of viruses, worms 
and Trojans within compressed and archived file formats. As such the mechanism used for 
the detection of such payloads has been designed to ensure all archive files are 
thoroughly scanned at each nested level in the file to ensure that all appropriate parts 
of the file are scanned.

McAfee is aware of a proof of concept exploitation in Zip archive payloads where 
information in the local header part of the archive is modified.

The local header exists just before the compressed data of each file. It is possible 
to modify the uncompressed size of archived files in the local header without affecting 
functionality.  Consequently there is the potential for a malicious payload to be hidden 
and avoid anti-virus detection by modifying the uncompressed size within the local headers 
to zero.

The techniques used by McAfee to analyze Zip archives have allowed a comprehensive solution 
for the Zip file format vulnerability to be provided to protect customers.

The latest update for the current 4320 McAfee Anti-Virus Engine DATS drivers 
(Version 4398 released on Oct 13th 2004) further enhances the protection afforded to 
McAfee customers against such potential exploits.

A DATS Driver update issued in Version 4397 (October 6th 2004) provided early protection 
for the same potential exploit targeted specifically for Gateway and Command line scanning.

If a detection of this type of exploit is found it will trigger the 
message "Found the Exploit-Zip Trojan!" to be displayed.

Updates for the DAT files mentioned above can be located at the following links:

Home (Retail) Users: http://download.mcafee.com/uk/updates/updates.asp

Business (Enterprise) Users: http://www.mcafeesecurity.com/uk/downloads/updates/dat.asp?id=1

It should be noted that whilst McAfee take the potential for this exploit to be used 
maliciously seriously, to date no evidence of such an exploit has been discovered. 
McAfee has provided additional protection through the DATS driver update however with 
usage of the comprehensive suite of anti-virus protection strategies provided by McAfee 
products, MacAfee are confident that this exploit presented no additional threat to its 
customers.

It should be noted that with McAfee on-access scanning active, such modification for 
malicious purposes to hide payloads only delays eventual detection - McAfee on-access 
detection will detect any payload with malicious intent as malware.

McAfee continues to focus on ensuring that customers receive maximum protection and 
provide a rapid response to all potential vulnerabilities thus ensuring customer satisfaction."

Computer Associates
- - -------------------
"With the assistance of iDEFENSE, Computer Associates has identified a medium-risk 
vulnerability in a shared component of eTrust Antivirus which may allow a specially crafted .
ZIP file to bypass virus detection. A number of CA products embed this technology including 
solutions from eTrust, Brightstor and others.

Customers are encouraged to visit the CA support web site below for more information about 
this vulnerability, a list of products and platforms that are effected, and remediation 
procedures. http://supportconnectw.ca.com/public/ca_common_docs/arclib_vuln.asp.

At Computer Associates, every reported exposure is handled with the utmost urgency. 
We strive to ensure that no customer is left in a vulnerable situation."

Kaspersky
- - ---------
(09/24/2004)
"...this bug for scanners based on 3.x-4.x engines will be fixed in next (not current) 
cumulative update.

For scanners based on new 5.0 engine we recommend you waiting for the release of our next 
maintenance pack. We are going to release it in October."

Sophos
- - ------
No vendor statement provided

Eset
- - ----
"The vulnerability was caused by the fact that some archive compression/decompression 
software (including Winzip) incorrectly handles compressed files with deliberately 
damaged header fields, thus, in-fact, allowing creation of the damaged archive files, 
that could be automatically repaired on the victims computer without notifying the user.

Eset has made appropriate modifications to archive-scanning code to handle such kind of 
archives immediately after receiving notification from iDEFENSE. These changes are 
contained in archive-support module version 1.020, released on 16th September 2004 at 
21:00 CET. The update was available for all clients with Automatic Virus-Signatures Update set."

RAV
- - ---
No vendor response

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the following 
names to these issues:

CAN-2004-0932 - McAfee
CAN-2004-0933 - Computer Associates
CAN-2004-0934 - Kaspersky
CAN-2004-0937 - Sophos
CAN-2004-0935 - Eset
CAN-2004-0936 - RAV

These are candidates for inclusion in the CVE list (http://cve.mitre.org), 
which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

09/16/2004  Initial vendor notification
09/16/2004  iDEFENSE clients notified
10/18/2004  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert electronically. It may 
not be edited in any way without the express written consent of iDEFENSE. If you 
wish to reprint the whole or any part of this alert in any other medium other 
than electronically, please email customerservice@xxxxxxxxxxxx for permission.

Disclaimer: The information in the advisory is believed to be accurate at the 
time of publishing based on currently available information. Use of the information 
constitutes acceptance for use in an AS IS condition. There are no warranties with 
regard to this information. Neither the author nor the publisher accepts any 
liability for any direct, indirect, or consequential loss or damage arising from 
use of, or reliance on, this information.

- - --------------------------END INCLUDED TEXT--------------------



iQCVAwUBQXRpIih9+71yA2DNAQLFngP+OgpYpQFpHwbBkNeQexYQ3ARazkOWvAdo
Jc4umPhNr8YDTL6L2NBPoL/DCEtpK7TLRunYkmqZNhvCkABinn42YHefT19nW8hh
KkLDi4c/rJ3mcpSoFYFUGznGVsryaG9vFHliA/ZFrNocAl/d8lBShx1m3JHjGOrG
DZmCPZ6IWZk=
=0gN4
- -----END PGP SIGNATURE-----


- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of iDEFENSE for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQXToxIpao72zK539AQFDMQQApdjbJ9Yj0Xc76Ud+38pAlZKrqnvFbGZM
aU/26t1Ndt+bWDNWESAO9TrFtHvgF29sw6KWOyrhkP6MroWuf0tcVfRdu+4QVbmq
j1UxnsJTS67f10GcfS2KCYkwzfJYLmkRTugXjpcYNRu0pKHShBSzx6yvv3+/xkUQ
Mnhx+PiGXsc=
=F6fN
-----END PGP SIGNATURE-----