Subscribe to the RSS feed in case you are interested in updates
Release mode: Coordinated but limited disclosure.
Ref : [TZO-40-2009] - Clamav generic evasion (RAR,ZIP)
Vendor : http://www.clamav.net &
http://www.sourcefire.com/products/clamav
Status : Patched (in version 0.95.2)
CVE : none provided
Credit : Discovered - froggz 2005, Zoller 2007, ROGER Mickael 2009
Security notification reaction rating : good
Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products :
- ClamAV below 0.95.2
- MACOSX server
- IBM Secure E-mail Express Solution for System
I. Background
Quote: "Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded
daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library. "
II. Description
The parsing engine can be bypassed by manipulating CAB,RAR,ZIP archives in a "certain way" that the Clamav engine cannot extract the content but the end user is able to.
III. Impact
To know more about the impact and type of "evasion", I updated the description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
IV. Disclosure timeline
DD/MM/YYYY
No timeline for this bug, nothing of particular note.
.png)
0 comments
Post a Comment