| ]

Introduction :
"ZangoCash (formerly LOUDcash) is recognized around the world as one of the best pay-per-install affiliate programs on the Internet. ZangoCash is a subsidiary of 180solutions which also includes Zango and MetricsDirect . Every day, 7,500-10,000 ZangoCash affiliates distribute our software to users who are then connected with more than 6,000 MetricsDirect advertisers."

Details :

After the acknowledgement of an License Agreement, during Startup, the bundled EXE contacts several servers and downloads the required Adware components. The downloaded components are not checked for integrity or authenticity and are executed as soon as they are downloaded.

The Following procedures are exploitable :

  1. Initial Install
  2. Auto-Update function

The condition is exploitable in the following scenarios :

  1. You have legitimate control over the DNS server
  2. You have compromised a DNS server
  3. You forge a cache poisoning attack against a vulnerable DNS server
  4. You have access to the machine and change the HOST file

Redirecting static.zangocash.com to an IP address under your Control and creating the respective V-host allows you to install any type of executable on the machine where zango is being installed or currently is installed.

| ]

Release mode: Forced release, vendor has not replied.
Ref : TZO-112009 - Fortinet Generic Evasion
Vendor : http://www.fortinet.com
Security notification reaction rating : Catastrophic

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html


Affected products :
- t.b.a (Vendor has not reacted, please see below)

As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive and that the test environment mimics the production environment.

I. Background

Quote: "Fortinet is a leading provider of network security appliances and the leader of the unified threat management (UTM) market worldwide. Fortinet's award-winning portfolio of security gateways, subscription services, and complementary products delivers the highest level of network, content, and application security for enterprises of all sizes, managed service providers, and telecommunications carriers, while reducing total cost of ownership and providing a flexible, scalable path for expansion. "


II. Description
The parsing engine can be bypassed by a specially crafted and formatted archive file. Details are currently witheld due to other vendors that are in process of deploying patches.

A professional reaction to a vulnerability notification is a way to measure the maturity of a vendor in terms of security. Fortinet is given a grace period of two (2) weeks to reply to my notification. Failure to do so will result in POC being released in two (2) weeks.
Fortinet (as well as others) is advised to leave a specific security contact at [1] in order to simplify getting in contact with them.

As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive.

III. Impact
A general description of the impact and nature of AV Bypasses/evasions can be read at :http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within the archive. There is no inspection of the content at all.


IV. Disclosure time line

  • 09/03/2009 Send proof of concept, description the terms under which I cooperate and the planned disclosure date. There is no security adress listed at [1] and hence took the industry standard security contacts addresses secure@ and security@.

    No reply.
  • 14/03/2009 : Resending specifying this is the last attempt to disclose responsibly.

    No reply.
  • 15/04/2009 : Fortinet published advisories for third party vendors with the address dontreply-secresearch@fortinet.com, used secresearch@fortinet.com to resend advisory.

    No reply.
  • 17/04/2009 : Last attempt to contact, information sent to info@foritnet.com

    No reply, as of time of publishing
  • 17/04/2009 : Release of this advisory and begin of grace period.

  • 17/04/2009 : Fortinet replied instantly, investigation on going

[1] http://osvdb.org/vendor/1/Fortinet%20Inc_

| ]

Release mode: Coordinated but limited disclosure.
Ref : TZO-092009 - Nod32 Evasion RAR
Vendor : http://www.eset.com/
Security notification reaction rating : Good enough
Notification to patch window : 14 days


Interesting background statistics:
Time required to coordinate disclosure and write the advisory: 2,5 hours
Time required to find the bug : 25 minutes

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :
  • ESET Smart Security 4 (before 15/04/2009)
  • ESET NOD32 Antivirus 4 (before 15/04/2009)
  • ESET Smart Security 4 Business Edition (before 15/04/2009)
  • ESET NOD32 Antivirus 4 Business Edition (before 15/04/2009)
  • ESET NOD32 Antivirus for Exchange Server (before 15/04/2009)
  • ESET Mail Security (before 15/04/2009)
  • ESET NOD32 Antivirus for Lotus Domino Server (before 15/04/2009)
  • ESET File Security (before 15/04/2009)
  • ESET Novell Netware (before 15/04/2009)
  • ESET DELL STORAGE SERVERS (before 15/04/2009)
  • ESET NOD32 Antivirus for Linux gateway devices (before 15/04/2009)
  • Command line version : NOD32 prior to 3.0.677

I. Background

Quote:"ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET NOD32® Antivirus, is the flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security."
http://www.eset.com/products/eset_performance_advantages.php


II. Description

The parsing engine can be bypassed by a specially crafted and formated RAR archive. Details are currently witheld due to other vendors that are in process of deploying patches.

III. Impact

A general description of the impact and nature of AV Bypasses/evasions can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within the RAR archive. There is no inspection of the content at all.


IV. Disclosure timeline

  • 04/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date
No reply
  • 09/04/2009 : Resend notification with an indication this will be the last attempt to responsibly disclose.

  • 09/04/2009 : Eset acknowledges receipt and previous receipt and apologises for not being able to answer due to an internal miscommunication. Patch will be deployed on the 15th of April.

| ]

Release mode: Forced release, vendor has not replied.
Ref : TZO-092009 - AVAST Generic Evasion
Vendor : http://www.avast.com

Security notification reaction rating : Catastrophic - Once woken up:ok

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :

- Known engine version to be affected - prior and post VPS:090409-0

Update : After the reaction from avast, it is clear that all versions and products are affected, however there is no plan to patch. I recommend that existing customers that care about their overall security posture (enterprise) should contact avast and ask for a patch. You are encouraged to read the time line and draw your own conclusions.

Desktop Protection
  • avast! 4 Professional (impact low, reason real-time protection)
  • avast! 4 Home Edition (impact low, reason real-time protection)
  • avast! Pro Family pack (impact low, reason real-time protection)
  • avast! WHS Edition (impact low, reason real-time protection)
  • avast! Mac Edition (impact unknown)
  • avast! Linux Home Edition (impact unknown)
  • avast! U3 Edition (impact unknown)
  • avast! 4 BART CD (impact unknown)
  • avast! for PDA (impact unknown)
Corporate Protection
  • avast! 4 Server Edition(impact high, complete bypass)
  • avast! 4 Server Edition Plug-ins
  • avast! 4 Exchange Server Edition (impact high, complete bypass)
  • avast! 4 ISA Server Edition (impact high, complete bypass)
  • avast! 4 SharePoint Server Edition (impact high, complete bypass)
  • avast! 4 SMTP Server Edition (impact high, complete bypass)
  • avast! 4 Lotus Domino Edition (impact high, complete bypass)
  • avast! Distributed Network Manager (impact high, complete bypass)
  • avast! 4 Professional (impact unknown)
  • avast! 4 BART CD (impact unknown)
  • avast! for Linux/Unix Server (impact high, complete bypass)
  • avast! for PDA (impact unknown)
  • Net.Purum (impact unknown)
OEM
  • Copperfasten - Mail Firewall Appliance
  • TN North Software - Interner Anywhere eMailServer
  • IceWarp Software - Merak Email Server
  • SmartMax Software, Inc. - MailMax Server
  • NetWin Software - SurgeMail Email Server
  • Hexamail Ltd. - Hexamail Guard - Antivirus option
  • Bains Digital - Defender MX

I. Background

Quote: "Comprehensive network security solution for corporate customers certified and tested by ICSA and Checkmark. It provides complete server and desktop virus protection."


II. Description

The parsing engine can be bypassed by a specially crafted and formated RAR archive. Details are currently witheld.


III. Impact
A general description of the impact and nature of AV Bypasses/evasions can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within the RAR archive. There is no inspection of the content at all.


IV. Disclosure timeline
  • 14/03/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. There is no security adress listed at [1] and hence took the industry standard security contacts addresses secure@ and security@. secure@avast.de, secure@alwil.com, security@alwil.com security@avast.de security@avast.com

    No reply.
  • 10/04/2009 : Resending specifying this is the last attempt to disclose reponsibly. This time two known contact adresses that were previously used to report vulnerabilities were used: secalert@avast.com, vlk@avast.com

    No reply.

  • 17/04/2009 : Release of this advisory and begin of grace period.

  • 17/04/2009 : Avast replies quoting the mail sent on the 14/03/2009 and claims that this is a non issue because the POC would not correctly decompress.

  • 17/04/2009: Reply that the POC works as expected and asked why there has been no reaction to previous notifications.

    No reply.

  • 20/04/2009: Asked for patch time line and affected version

  • 20/04/2009: Avast replies that all versions and all product ranges are affected, however "There's currently no plan to release a special patch for this as our risk assessment makes it a very low priority issue."
Addendum :
It is the responsibility of the vendor to make sure security addresses are available, known and communicated. Addresses given by avast simply bounce :
  • For secure@avast.com, [Site (avast.com/195.47.75.55) said: 550 5.1.1 secure@avast.com... User unknown]
  • For secalert@avast.com, [Site (avast.com/195.47.75.55) said: 550 5.1.1 secalert@avast.com... User unknown]
Avast is surely able to assess their *business risk* i.e the risk to loose customers and money; however I doubt avast can the entire cumulated risk their customers that run avast code in specific environments. What Avast should matter about is the impact it has on their application. The primary goal of an AV application is to detect malicious code, if this can be easily and comfortably evaded they are not that useful any more on gateways are they? A bug should not be rated by it technical aspects or how hard it is to be found, but should be rated by the impact, case by case.


[1] http://osvdb.org/vendor/1/ALWIL%20Software

| ]

Release mode: Coordinated but limited disclosure.
Ref         : TZO-082009 - Bitdefender Evasion CAB
Vendor      : http://www.bitdefender.com       
Security notification reaction rating : Good
Notification to patch time window : 1 day (!)

Interesting background statistics:
Time required to coordinate disclosure and write the advisory : 2 hours
Time required to find the bug : 10 minutes

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :

- Bitdefender Antivirus 2009 (pre update 13/04/2009)
- Bitdefender Internet Security 2009 (pre update 13/04/2009)
- Bitdefender Total Security 2009 (pre update 13/04/2009)
- Bitdefender Small Office Security (pre update 13/04/2009)
- Bitdefender for Fileservers (pre update 13/04/2009)
- Bitdefender for Samba (pre update 13/04/2009)
- Bitdefender for Sharepoint (pre update 13/04/2009)
- Bitdefender Security for Exchange (pre update 13/04/2009)
- Bitdefender Security for Mailservers (pre update 13/04/2009)
- Bitdefender for ISA Servers (pre update 13/04/2009)
- Bitdefender Client security (pre update 13/04/2009)

Bundles:
- BitDefender Business Security (pre update 13/04/2009)
- Bitdefender Antivirus for Unices (pre update 13/04/2009)
- Bitdefender Corporate Security (pre update 13/04/2009)
- Bitdefender SBS Security (pre update 13/04/2009)

I. Background
Quote: "BitDefender™ provides security solutions to satisfy the protection requirements of today's computing environment, delivering effective threat management for over 41 million home and corporate users in more than 100 countries. BitDefender, a division of SOFTWIN, is headquartered in Bucharest, Romania and has offices in Tettnang, Germany, Barcelona, United Kingdom, Denmark, Spain and Fort Lauderdale (FL), USA."

II. Description
The parsing engine can be bypassed by a specially crafted and formatted CAB archive. Details are currently withheld due to other vendors that are in process of deploying patches.

III. Impact

A general description of the impact and nature of AV Bypasses/evasions can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within the CAB archive. There is no inspection of the content at all.


IV. Disclosure time line
  • 13/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date  

  • 14/04/2009 : Bitdefender responds that the problem was fixed by an automatic update on the 13/04/2009

  • 16/04/2009 : Asked what product line and version has been affected and a CVE number.         

  • 15/04/2009 : Bitdefender states that "All  our  products are affected  by this problem. We don't have a CVE number".

  • 17/04/2009 : Release of this advisory

| ]

Release mode: Coordinated.
Ref         : TZO-07-2009 Fprot ZIP Method Evasion
WWW         : http://blog.zoller.lu/
Vendor      : http://www.f-prot.com
Security notification reaction rating : Mediocre-Poor


This bug was reported 4 years ago [1] to FRISK, the response at that time has been that "a fix for this bug will be included in future versions of F-Prot Antivirus". Fast forward 4 years the same error still allow to bypass the engine.

[1] CVE-2005-3499
http://www.zoller.lu/research/fprot.htm
http://web.nvd.nist.gov/view/vuln/detail?execution=e3s1

Considering this and the reaction from FRISK I am unsure as how  serious FRISK is about the security of their clients.

Affected products :
All Fprot versions currently used, vendor supplies no patch for current release. The vendor (Frisk) considers this problem to be too low priority to patch in current release and notify clients.  To put this in perspective, rendering the Fprot scanning on gateway solutions completely useless (for certain archive types) is low priority for Frisk.
 
If you are a Frisk customer and concerned about security I would   recommend calling support and ask for a patch. NB, if you are using FPROT localy and with ON access scans you are not affected.
 
Products (with impact details) :

  • F-PROT AVES (High: complete bypass of engine)
  • F-PROT Antivirus for Windows (unknown)
  • F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine) 
  • F-PROT Antivirus for Exchange (High: complete bypass of engine)
  • F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine)
  • F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine)
  • F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine)
  • F-PROT Milter - for example sendmail (High: complete bypass of engine)
  • F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete bypass of engine)
  • F-Prot Antivirus for Linux x86 Workstations (unknown)

About this advisory
I used to not report bugs publicly where a a vendor - has not reacted to my notifications - silently patched. I also did not publish low hanging fruits as they make you look silly in the eyes of your peers.

Over the past years I had the chance to audit and test a lot of critical infrastructures that (also) relied on products (and about security notification from vendors) and have witnessed various ways of setting up your defenses that make some bugs critical that you'd consider low, I came to the conclusion that most bugs deserve disclosure.

Please see "Common misconceptions" for more information.

I. Background
FRISK Software International, established in 1993, is one of the world's leading companies in antivirus research and product development. FRISK Software produces the hugely popular F-Prot Antivirus products
range offering unrivalled heuristic detection capabilities.  In addition to this, the F-Prot AVES managed online email security  service filters away the nuisance of spam email as well as viruses,  worms and other malware that increasingly clog up inboxes and  threaten data security.

II. Description
The parsing engine can be bypassed by manipulating ZIP Method field. It is as easy as opening a ZIP file in an editor and type a number greater than 15 on your keyboard. Basically Fprot looks at the Method field that indicates what method was used to compress the archive and decides that it will not extract and inspect the data within.

III. Impact

The bug results in denying the engine the possibility to inspect code within the ZIP archive. While the impact might be low client-side (as code is inspected upon extraction by the user) the impact for gateways or AV infrastructure where the archive is not extracted is considerable. There is no inspection of the content at all, prior disclosure therefore refered to this class of bugs as Denial of service (you deny the service of the scan engine for that file) however I choose to stick the terms of evasion/bypass, being the primary impact of these types of bugs.

PS. I am aware that there are hundreds of ways to bypass, that however doesn't make it less of a problem. I am waiting for the day where the first worm uses these techniques to stay undetected over a longer period of time, as depending on the evasion a kernel update (engine update) is necessary and sig updates do not suffice. Resulting in longer window of exposure - at least for GW solutions. *Must make confiker reference here*

IV. Common misconceptions about this "bug class"
  • This has the same effect as adding a password to a ZIP file
The scanner denotes files that are passworded, an example is an E-mail Gatewayscanner that adds "Attachment not scanned" to the subject line or otherwise indicates that the file was not scanned. This is not the case with bypasses, in most cases the engine has not inspected the content at all or has inspected it in a different way. Additionally passworded archive files are easily filterable by a content policy, allowing or denying them.
  • - This is only an issue with gateway products
Every environment where the archive is not actively extracted by the end-user is affected. For example, fileservers, databases etc. pp. Over the years I saw the strangest environments that were affected by this type of "bug". My position is that customers deserve better security than this.
  • Behavioral analysis will catch this ?
No, the content is unreadable to the AV engine as such no inspection whatsoever is possible.
  • Evasions are the Cross Site scripting of File formats bugs
Yes.

IV. Disclosure timeline

  • 23/03/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date (02/04/2009)         
  • 26/03/2009 : Technical Support responds"The fix for this was minor, with virtually no potential            for side effects - so it was added to the current development branch for engine version 4.5 - being  low-priority, it will not be added to the 4.4 branch. In other words, the fix will be included in the next engine released."
  • 26/03/2009 : Replied, that - the bug is 4 years old - risk assesement is to be done by the client using  the engine one way or the other - asked for location of advisory or credit
          No reply.
            
  • 27/03/2009 : Resend.        
           No reply.            
           
No further coordination attempts will be done with FRISK in the future should they not revisit there position on security notification and response practices.

| ]

Release mode: Forced disclosure, no answer from vendor.
Ref         : TZO-04-2009-IBM Proventia
WWW         : http://blog.zoller.lu/
Vendor      : http://www.ibm.com
Security notification reaction rating : Catastrophic (see Timeline)

Affected products : IBM Proventia engine (minimum 4.9.0.0.44 20081231 Official Release) other products using the engine are likely to be affected too. As IBM has not cooperated in any way and I have better things to do than to test IBM products for free I cannot state all affected products, if you are an IBM/ISS customer please call IBM support and request more details.

About this advisory
I used to not report bugs publicly where a vendor either has not reacted to my notifications or silently patched. I also did not publish low hanging fruits as they make you look silly in the eyes of your peers

Over the past years I had the chace to audit and test a lot of critical infrastructures that (also) relied on products (and about security notification from vendors) and have witnessed various ways of setting up your defenses that make some bugs critical that you'd consider low, I came to the conclusion that most bugs deserve disclosure.

Please see "Common misconceptions" for more information.

I. Background
IBM Internet Security Systems (ISS) offers a comprehensive portfolio of IT security products and services for organizations of all sizes.

IBM Proventia Network Mail Security System and IBM Proventia Network Mail Security System Virtual Appliance provide spam control and preemptive protection for your messaging infrastructure.

Proventia Network Mail is the only email security solution equipped with the IBM Intrusion Prevention System (IPS) engine and a behavioral genotype (SIC!) anti-virus technology, along with remote malware detection and Sophos signature-based anti-virus.

II. Description
The parsing engine can be bypassed by manipulating RAR archive in a "certain way" that the IBM engine cannot extract the content but the end user is able to. Details are currently witheld (see below).

A professional reaction to a vulnerability notification is a way to measure the maturity of a vendor in terms of security. IBM is given a grace period of two (2) weeks to reply to my notification. Failure to do so will result in POC being released in two (2) weeks. If IBM is not aware of how to deal with security notifications I recommend them to read my security notification response draft on how to do so at http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

As this bug has not been reproduced by the vendor, this advisory relies on the assumption that my tests were conclusive.

III. Impact
The bug results in denying the engine the possibility to inspect code within the RAR archive. While the impact might be low client-side (as code is inspected upon extraction by the user) the impact for gateways or AV infrastructure where the archive is not extracted is considerable. There is no inspection of the content at all, prior disclosure therefore refered to this class of bugs as Denial of service (you deny the service of the scan engine for that file) however I choose to stick the terms of evasion/bypass, being the primary impact of these types of bugs.

Below is a simplified logic of an AV engines (Source: F-Secure - Link), as shown below the logic breaks once the file can't be extracted.



PS. I am aware that there are hundreds of ways to bypass, that however doesn't make it less of a problem. I am waiting for the day where the first worm uses these techniques to stay undetected over a longer period of time, as depending on the evasion a kernel update (engine update) is necessary and sig updates do not suffice. Resulting in longer window of exposure - at least for GW solutions. *Must make confiker reference here*


IV. Common misconceptions about this "bug class"
  • This has the same effect as adding a password to a ZIP file
The scanner denotes files that are passworded, an example is an E-mail Gatewayscanner that adds "Attachment not scanned" to the subject line or otherwise indicates that the file was not scanned. This is not the case with bypasses, in most cases the engine has not inspected the content at all or has inspected it in a different way. Additionally passworded archive files are easily filterable by a content policy, allowing or denying them.
  • - This is only an issue with gateway products
Every environment where the archive is not actively extracted by the end-user is affected. For example, fileservers, databases etc. pp. Over the years I saw the strangest environments that were affected by this type of "bug". My position is that customers deserve better security than this.
  • Behavioral analysis will catch this ?
No, the content is unreadable to the AV engine as such no inspection whatsoever is possible.
  • Evasions are the Cross Site scripting of File formats bugs
Yes.

IV. Disclosure timeline

IBM was sent two POC files, an explanation and the disclosure terms (http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html)

  • 09/03/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date (23/03/2009) Note: The security contact adress listed in OSVDB was used.

    No reply.

  • 13/03/2009 : Resend email indicating this is the last attempt to coordinate disclosure

    No reply.

  • 23/03/2009 : Send another Report and a second POC

    No reply.
  • 02/04/2009 : Publication of a limited detail advisory, grace period of 2 weeks given to IBM prior to full detail advisory.

  • 02/04/2009 : IBM contact is made, proof of concept sent again
     
  • 03/04/2009 : IBM responds that the issue is under investigation
  •  

    | ]

    Generic ClamAV archive evasion

    Release mode: Coordinated but limited disclosure.
    Ref : TZO-05-2009-ClamAV Evasion
    Vendor : http://www.clamav.net & http://www.sourcefire.com/products/clamav
    Security notification reaction rating : Good


    Affected products :
    • ClamAV below 0.95
    • Includes MACOSX server,IBM Secure E-mail Express Solution for System and a lots of mail appliances. http://www.clamav.net/about/who-use-clamav/
    About this advisory
    I used to not report bugs publicly where a a vendor - has not reacted to my notifications - silently patched. I also did not publish low hanging fruits as they make you look silly in the eyes of your peers.

    Over the past years I had the chance to audit and test a lot of critical infrastructures that, amongst other things relied on security products (and on security notifications from vendors) and have witnessed various ways of setting up your defenses that make some bugs critical that you'd consider low at first glance, I came to the conclusion that most bugs deserve disclosure.

    Please see "Common misconceptions" for more information.

    I. Background
    Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library.

    II. Description
    The parsing engine can be bypassed by manipulating RAR archive in a "certain way" that the Clamav engine cannot extract the content but the end user is able to. Details are currently witheld (thanks to IBM).

    III. Impact
    The bug results in denying the engine the possibility to inspect code within the RAR archive. While the impact might be low client-side (as code is inspected upon extraction by the user) the impact for gateways or AV infrastructure where the archive is not extracted is considerable. There is no inspection of the content at all, prior disclosure therefore referred to this class of bugs as Denial of service (you deny the service of the scan engine for that file) however I choose to stick the terms of evasion/bypass, being the primary impact of these types of bugs.

    Below is a simplified logic of an Anti-Virus engine (Source: F-Secure - Link), as shown below the logic breaks once the file can't be extracted.





    PS. I am aware that there are hundreds of ways to bypass, that however doesn't make it less of a problem. I am waiting for the day where the first worm uses these techniques to stay undetected over a longer period of time, as depending on the evasion a kernel update (engine update) is necessary and sig updates do not suffice. Resulting in longer window of exposure - at least for GW solutions. *Must make confiker reference here*

    IV. Common misconceptions about this "bug class"
    • This has the same effect as adding a password to a ZIP file
    The scanner denotes files that are passworded, an example is an E-mail Gatewayscanner that adds "Attachment not scanned" to the subject line or otherwise indicates that the file was not scanned. This is not the case with bypasses, in most cases the engine has not inspected the content at all or has inspected it in a different way. Additionally passworded archive files are easily filterable by a content policy, allowing or denying them.
    • - This is only an issue with gateway products
    Every environment where the archive is not actively extracted by the end-user is affected. For example, fileservers, databases etc. pp. Over the years I saw the strangest environments that were affected by this type of "bug". My position is that customers deserve better security than this.
    • Behavioral analysis will catch this ?
    No, the content is unreadable to the AV engine as such no inspection whatsoever is possible.
    • Evasions are the Cross Site scripting of File formats bugs
    Yes.


    IV. Disclosure timeline

    IBM was sent two POC files, an explanation and the disclosure terms (http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html)

    • 09/03/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date (23/03/2009)
    • 13/03/2009 : Clamav responds that the bug is reproducible and will be fixed in 0.95 to be released the (23/03/2009)
    • 23/03/2009 : Ask clamav if the release was made and if credit was given
    • 23/03/2009 : Clamav responds that the release was made, and that the credit was given in the changelog. (Tzo note: A post will be probably be made at http://www.clamav.net/category/security/
    • 02/04/2009 : Release of this limited detail advisory

    | ]

    Introduction :
    As employees become more mobile, sophisticated VPN solutions are required to meet key security challenges such as securing access to corporate resources and protecting remote desktops. To meet the VPN client needs of any organization, Check Point offers VPN-1 SecureClient.
    Title : CheckPoint - CheckQuotes!
    Ref : TZO-012006-Checkpoint

    Details :
    During Startup, the SR_Watchdog.exe spawns the GUI process (SR_GUI.exe) through the use of the CreateProcess() function. By doing so it omits to set the 'lpApplicationName' variable and further omits to quote the path in the variable "lpCommandLine". Ref [1]
    This results in c:\program.bat|exe|com being called prior to Sr_GUI.exe and allows automatic startup of a potentially rogue application. In particular one could imagine a scenario where it is possible to escalate
    rights using this (as they are inherited from SR_Watchdog.exe).
    I decided that this is not worth to report to the vendor, I consider this low impact in terms of Security. (Although it might show bad coding practice).


    [1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html
    [2] Only a real issue in Windows 2000, WinXP restricted users don't have the right to write to c:\