| ]

Hmm, I see a very clear trend of marketing entering the security process, sorry let me rephrase that, it's not a trend - it's there.

There is a clear indication that vulnerability counts have to be kept low as possible - especially in competitive markets like AV and browsers
.

The movements go as far as denying DoS to be a security issue, the reason given : there are so many of them - I am not kidding.

What the hell ? Denial of Service is a vulnerability per se. There is simply no discussion about it, it's the A in C.I.A. What you should measure is the Impact. If the vendor assess the the impact as being very low for their customers I have nothing against being told so and I simply make it clear in the advisory, however trying to tell me that remotely affecting the availability of an application does not affect security - is a joke.

The impact is what should be measured by vendors, make it very clear to your customers what the impact is, so your customers can make a concise risk decision on whether to patch or not, whether to mitigate or not.

The problem is, it doesn't look very good in vulnerability statistics, more and more products are regularly compared to how they perform on the "how many advisories for each product" and vendors are actively trying to keep that number as low as possible - responsibility ? my buttock.

From the 800 vulnerability notifications I send in the last 2 years, 3 (!) were published by vendors voluntarily, you would think that if they care about the security of their clients they would even if it's just due diligence advise their clients of security problems that were fixed - no, nada, niente. Out of those 3 advisories, one vendor choose to centralise 8 distinctive vulnerabilities into one advisory. The effect? In the vulnerability statistics you see on-line it will look as ONE bug. nice, responsible and fair. dream on.

Under the umbrella of responsible disclosure "we" security researches are playing the ball game. If you didn't know yet, instead of fighting with vendors over stupid bugs, lots of them sell the vulnerabilities, not only don't they have to deal with lengthy frustrating e-mails trying to help the vendor (for free), they even get paid to have found the problem.

The downside is that this is less responsible since you are telling a third party particular interesting information. (That mostly all sell it to interesting three letter agencies behind the back, while customers are waiting months to years for a patch).

The fact is that the most prominent and dominant security researchers have been bought, they either get regular contracts at those companies or directly work in their offices - vulns are silently handed over - payback time is another project, not officially of course. Manus manum lavat. Responsibility ? My buttock.

Here is an example of the Denial of Service is not a security vulnerability paradigm, the company in question will not be named yet (wait for the advisory) :

1. Report a remote DoS condition in Product X to Comp. Inc.

  • Comp. Inc. answers that DoS is not not a security issue, that there will be no credit nor an advisory, they bascialy don't care.
    2. Report a second remote DoS condition in Product Y to Comp. Inc
  • Comp. Inc. answers that DoS is not not a security issue, that there will be no credit nor an advisory, they bascialy don't care.
    3. Report a remote DoS condition in a Product where the market is more competitive to Comp. inc (NB same company)
  • Hell brakes loose, please Thierry, I dare you, be responsible, this is very serious to us

    Now what is it for Comp. Inc. ? Has Denial of Service now been spontanously been promoted to very important ? Or is it just that this makes them look bad in face of the competition. My answer to that company, was that they have to make a choice, either DoS is a security problem or it's not, I will respond accordingly and publish.

    Some backround :
    1 - Been reporting a (simple) browser bug - resulting in various DoS conditions
    2 - I have been met with some of the most astounding reactions I have ever had
  • | ]

    James K. William (the original Packetstorm founder - for those who remember) just sent me a note that Computer Associates published the vulnerabiltities I reported while @nruns :

    ---
    Hey Thierry,
    FYI, our security notice was just published.

    "CA20090126-01: Security Notice for CA Anti-Virus Engine"
    https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197601
    ---

    Affected Platforms

  • Windows
  • UNIX
  • Linux
  • Solaris
  • Mac OS X
  • NetWare

    Affected Products:
  • CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.1, r8, r8.1
  • CA Anti-Virus 2007 (v8), 2008
  • eTrust EZ Antivirus r7, r6.1
  • CA Internet Security Suite 2007 (v3), 2008
  • CA Internet Security Suite Plus 2008
  • CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8, 8.1
  • CA Anti-Virus Gateway (formerly eTrust Antivirus Gateway) 7.1
  • CA Protection Suites r2, r3, r3.1
  • CA Secure Content Manager (formerly eTrust Secure Content Manager) 8.0, 8.1
  • CA Anti-Spyware for the Enterprise (Formerly eTrust PestPatrol) r8, 8.1
  • CA Anti-Spyware 2007, 2008
  • CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r3.0, r3.1, r11, r11.1, r11.2
  • CA ARCserve Backup r11.1, r11.5, r12 on Windows
  • CA ARCserve Backup r11.1, r11.5 Linux
  • CA ARCserve client agent for Windows
  • CA eTrust Intrusion Detection 2.0 SP1, 3.0, 3.0 SP1, 4.0
  • CA Common Services (CCS) r11, r11.1

  • | ]



    :.

    | ]

    MP3 : http://secdev.zoller.lu/chomskbla3009.mp3

    | ]

    Reference : [TZO-2009-2]-Avira Antivir
    Product :

  • Avira Antivr
  • Avira AntiVir Premium
  • Avira Premium Security Suite
  • Avira AntiVir Professional
    Vendor : http://www.avira.de


    I. Background
    Avira AntiVir is a reliable free antivirus solution, that constantly and rapidly scans your computer for malicious programs such as viruses, Trojans, backdoor programs, hoaxes, worms, dialers etc. Monitors every action executed by the user or the operating system and reacts promptly when a malicious program is detected.

    The protection experts have numerous company locations throughout Germany and cultivate partnerships in Europe, Asia and America. Avira has more than 180 employees at their main office in Tettnang near Lake Constance and is one of
    the largest employers in the region. There are around 250 people employed worldwide whose commitment is continually being confirmed by awards. A significant contribution to protection is the Avira AntiVir Personal which is being used by private users a million times over.

    AV-Comparatives e.V. have chosen Avira AntiVir Premium as the best anti-virus solution of 2008




    II. Description
    No funky IOCTL just a plain unsafe call to CreateProcess().In detail, the scheduler (sched. exe) running with SYSTEM privileges calls the CreateProcess() API without enclosing lpCommandLine in quotes to regularly shell avwsc.exe

    Calling an executable with a path has spaces in it and not using quotes will trigger windows to search for the executable in various areas.

    Calling for instance -

    CreateProcess(
    NULL,
    c:\program files\avira\antivir PersonalEdition Classic\avwsc.exe,
    ...
    );


    will first look for
  • c:\program.exe
    and then
  • c:\program files\avira\antivir.exe

    This is documented and intended behaviour as can be seen at :
    http://msdn.microsoft.com/en-us/library/ms682425.aspx

    Quoting ms682425.aspx :
    The lpApplicationName parameter can be NULL. In that case, the module name must be the first white space–delimited token in the lpCommandLine string. If you are using a long file name that contains a space, use quoted strings to
    indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous. For example, consider the string "c:\program files\sub dir\program name". This string can be interpreted in a number of ways. The system tries to interpret the possibilities in the following order:


    c:\program.exe files\sub dir\program name, c:\program files\sub.exe dir\program name
    c:\program files\sub dir\program.exe name, c:\program files\sub dir\program name.exe

    Pre-conditions for a CreateProcess() call to be insecure :
    - lpApplicationName contains a NULL
    - the path in lpCommandLine contains white space
    - the path in lpCommandLine is not enclosed in quotation marks

    III. Impact
    - Elevation of privileges to SYSTEM is possible by writing the payload to c:\program files\avira\antivir.exe
    - Autostart vector - The payload will be executed even after a reboot

    IV. Disclosure Timeline
  • 28/09/2008 : Contacted and send bug report to Avira
  • 28/09/2008 : Avira acknowledges receipt
  • 01/10/2008 : Avira notifies me that the issue will be fixed
    with there next Emergency Update (EU2)
  • 24/10/2008 : Avira releases update
  • 15/01/2009 : Release of this advisory


    References :
  • [1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html
  • [2] CreateProcess() - http://msdn.microsoft.com/en-us/library/ms682425.aspx
  • [3] Book: Fuzzing - Brute force vulnerability discovery
  • [4] Loadlibrary() - http://msdn.microsoft.com/en-us/library/ms684175(VS.85).aspx
    If the string does not specify a path, the function uses a
    standard search strategy to find the file.

  • | ]

    Reference : [TZO-2009-1]-Avira Antivir
    Products :

  • Avira Antivr Free
  • Avira AntiVir Premium
  • Avira Premium Security Suite
  • Avira AntiVir Professional
  • Avira AntiVir for KEN! 4
  • Avira AntiVir SharePoint
  • Avira AntiVir Virus Scan Adapter for SAP NetWeaver®
  • Avira AntiVir MailGate
  • Avira AntiVir Exchange
  • Avira AntiVir MIMEsweeper
  • Avira AntiVir Domino
  • Avira AntiVir WebGate
  • Avira WebGate Suite
  • Avira AntiVir ISA Server
  • Avira AntiVir MIMEsweeper

    Avira requested the following products to be removed from the list, for the reason that they are license models and not products per se, it is arguable whether they should be listed or not, since the licenses (most likely) include the vulnerable products:

    AVIRA WebGate Suite - Reason: is a License Model
    AVIRA SmallBusiness Suite -> Reason: is a License Model
    AVIRA Business Bundle -> Reason: is a License Model
    AVIRA AntiVir NetWork Bundle -> Reason: is a License Model
    AVIRA AntiVir NetGate Bundle -> Reason: is a License Model
    AVIRA AntiVir GateWay Bundle -> Reason: is a License Model
    AVIRA AntiVir Campus (for Education) -> Reason: is a License Model

    Vendors and Products using the Avira Engine :
    Important : The impact of this flaw on those devices has not been tested nor confirmed to exist, there is however reason to believe that the flaw existed in this products aswell.

  • AXIGEN Mail Server
  • Clearswift Mimesweeper
  • GeNUGate and GeNUGate Pro (optional addon)
  • IQ.Suite
    http://www.avira.com/documents/utils/pdf/products/pi_system-integration_en.pdf

    I. Background
    Avira is a leading worldwide provider of self-developed protection solutions
    for professional and private use. The company belongs to the pioneers in
    this sector with over twenty years experience.

    The protection experts have numerous company locations throughout Germany and cultivate partnerships in Europe, Asia and America. Avira has more than 180 employees at their main office in Tettnang near Lake Constance and is one of the largest employers in the region. There are around 250 people employed worldwide whose commitment is continually being confirmed by awards. A significant contribution to protection is the Avira AntiVir Personal which is being used by private users a million times over.

    AV-Comparatives e.V. have chosen Avira AntiVir Premium as the best anti-virus solution of 2008

    II. Description
    By manipulating certain fields inside a RAR archive and attacker might trigger these exceptions. The attack vector should be rated as remote as an attachement to an e-mail is enough.

    *Anybody else noticed that the amount of details in most advisories have become less than usefull ?*


    III. Impact
    In some cases the impact is a Denial of Service condition in others to an invalid read size of 4 bytes which again in some cases lead to an null pointer dereference.

    The RAR parser inside the module leads to various errors whose exploitability index is rated "I don't have time for this now - so let's say 'maybe'" also sometimes known as "I lack the time and/or the skill to do so".

    FAULTING_IP:
    aepack!module_get_api+20ed9
    0131cad9 8b10 mov edx,dword ptr [eax]

    EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
    ExceptionAddress: 0131cad9 (aepack!module_get_api+0x00020ed9)
    ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000000
    NumberParameters: 2
    Parameter[0]: 00000000
    Parameter[1]: 00000268
    Attempt to read from address 00000268

    FAULTING_THREAD: 00000144
    DEFAULT_BUCKET_ID: INVALID_POINTER_READ

    PROCESS_NAME: avscan.exe
    OVERLAPPED_MODULE: Address regions for 'AVREP' and 'rcimage.dll' overlap

    READ_ADDRESS: 00000268
    BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_CORRUPT_MODULELIST_OVERLAPPED_MODULE
    LAST_CONTROL_TRANSFER: from 0131cb8c to 0131cad9

    STACK_TEXT:
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0194f5fc 0131cb8c 0115bbfc 00000003 00000100 aepack!module_get_api+0x20ed9
    0194f618 01319b96 0115bbfc 074cc4f4 00000002 aepack!module_get_api+0x20f8c
    0194f654 0131a45a 00000010 01157160 00000001 aepack!module_get_api+0x1df96
    0194f668 0131e7e0 000000d4 00f48ba8 011530d0 aepack!module_get_api+0x1e85a
    0194f68c 01318c35 01157160 00000010 011530d0 aepack!module_get_api+0x22be0
    00000000 00000000 00000000 00000000 00000000 aepack!module_get_api+0x1d035

    FOLLOWUP_IP:
    aepack!module_get_api+20ed9
    0131cad9 8b10 mov edx,dword ptr [eax]

    SYMBOL_NAME: aepack!module_get_api+20ed9
    MODULE_NAME: aepack
    IMAGE_NAME: aepack.dll
    STACK_COMMAND: ~2s ; kb

    FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_aepack.dll!module_get_api
    BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_CORRUPT_MODULELIST_OVERLAPPED_MODULE_aepack!module_get_api+20ed9


    IV. Disclosure Timeline
    My personal Vulnerability Reaction and Notification rating for AVIRA on
    this issue (scale 1-10) : 9 (Very good)

    The Vulnerability notification policy i adhere to:
    http://blog.zoller.lu/search/label/Vulnerability%20disclosure%20Policy

  • 17/12/2008 : Sent notice to the correct mail adress security@avira.com
  • 17/12/2008 : Avira achknowledges receipt
  • 17/12/2008 : Avira sends details of the root cause on the same day
    "The crash occurs in a heavily corrupted, generated RAR archive while
    extracting the contents of the 22nd file. We can't give any file names
    as they are non-printable characters."
  • 13/01/2009 : Avira notifies me that the issue was fixed with an update that shipped
    with AVPack 8.1.3.5 on the 09/01/2009
  • 14/01/2009 : Avira states that all products have been affected except "Securityy
    Management Center" and the "Internet Update Manager". "Das bedeutet im
    Prinzip wirklich alle Produkte, ausser Produkte wie eben das Security
    Management Center oder der Internet Update Manager"
  • 14/01/2009 : Release of this advisory

  • | ]



    Update
    The "Race to 100" is officialy finished, the reason for this ... is... well, 100% will most likely never be reached. There was even one AV vendor that pulled the 0day detection signature from their database.

    The history of what vendors detected the 0day at what timeframe can be found here :
    http://blog.zoller.lu/2008/12/in-wild-ie7-0day-update.html

    Similar to the idea of Race to Zero which was a challenge to evade AV detection as fast as possible (until 0 AV engines recognised the sample), this chart above displays the number of Anti-Virus software currently detecting the non-patched IE6,7,8 0day used to compromised computers all over the world. A race to 100, so to say. I will update the chart and the post below regularly. 38 would be 100%