Subscribe to the RSS feed in case you are interested in updates


Release mode: Forced disclosure  
Ref : [TZO-30-2009] - Kaspersky PDF evasion (Forced disclosure) 
Vendor : http://www.kaspersky.com 
Status : Silent fix that doesn't work - No appropriate patch 
CVE : none provided Credit : none given  
OSVDB vendor entry: No [1]

Security notification reaction rating : Catastropic
Not only did the headquarter not answer, they (tried) to patch this vulnerability silently, only to fail at it. See Timeline.

This is not the first time that Kaspersky did not answer but patched bugs without credit, advisory or anything. This was however the last time I will not disclose, I am no longer part of an entity that tolerates irresponsible non-disclosure.

A professional reaction to a vulnerability notification is a way to measure the maturity of a vendor in terms of security. Kaspersky is given a grace period of two (2) weeks to reply to my notifications. Failure to do so will result in details of all the other reported bugs be released in two (2) weeks.

Notification to patch window : x+n
Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products (all versions) :

  • Kaspersky Internet Security
  • Kaspersky Anti-Virus
  • Kaspersky Mobile Security
  • Kaspersky Small Office Security
  • Kaspersky Open Space Security
  • Kaspersky Business Space Security
  • Kaspersky Work Space Security
  • Kaspersky Enterprise Space Security
  • Kaspersky Targeted Security
  • Kaspersky® Anti-Virus for Microsoft ISA Server
  • Kaspersky® Anti-Virus for Proxy Server
  • Kaspersky® Anti-Virus for Check Point Firewall-1
  • Kaspersky® Anti-Virus for Windows Server
  • Kaspersky® Anti-Virus for Windows Server Enterprise Edition
  • Kaspersky® Anti-Virus for Novell NetWare
  • Kaspersky® Anti-Virus for Linux File Server
  • Kaspersky® Anti-Virus for Samba Server
  • Kaspersky® Security for Microsoft Exchange 2007
  • Kaspersky® Security for Microsoft Exchange 2003
  • Kaspersky® Anti-Virus for Lotus Notes/Domino
  • Kaspersky® Anti-Virus for Windows Workstation
  • Kaspersky® Anti-Virus for Linux Workstation
  • Kaspersky® Anti-Virus for Linux Mail Server
  • Kaspersky® Mail Gateway Kaspersky® Anti-virus for MIMEsweeper
I. Background
Quote: "We develop, produce and distribute information security solutions that protect our customers from IT threats and allow enterprises to manage risk. We provide products that protect information from viruses, hackers and spam for home users and enterprises and offer consulting services and technical support. "

II. Description
The PDF files are not parsed correctly, a PDF file starts with the magic byte "%PDF" and ends with the magic byte "%%EOF", everything in between those markers is parsed and interpreted. Furthermore PDF files are read from the bottom to the top.

Adobe Acrobat nor the FoxitReader care too much about the data that comes prior the magic byte, the kaspersky engine does, not only does it care, it fails to detect the malware inside the PDF file.

I will spare you the details, a PDF file is bascialy a container that starts with %PDF and ends with %%EOF.

What follows are the details of this evasion, note this one is generic and the easiest one, there are plenty more. What you read below is true as amazing as it might seem, you can't have it more simple.

Example of a malicious PDF file :
%PDF Malicious content here %%EOF

Doing :

Enter stuff here, like random text.
%PDF Malicious content here %%EOF

This has the result that the malware is no longer being detected. Note: Not a single byte of the malware itself been altered, and strictly speaking the content that represent a PDF file hasn't been changed at all.

This has been tested with several malicious PDF files and represents a generic evasion of all PDF signatures and heuristics.

Kaspersky was given the PoC file directly through myself and F-Secure, they went ahead an patched this by adding a signature for the POC file, adding a PE header in front of a PDF file (with a PDF extension) still evades detection and the exploit still triggers when opening the file with Adobe. Thus the patch is flawed by design.

Thus the root cause is :

  • The PDF file is not parsed from the bottom to the top, it's important to support the format the same way the end-user application does.
  • The PDF magic byte (was) read from at static offset
  • Heuristics are apparently not good enough to detect simple shellcode in a PDF file
Kaspersky was given the sample directly through myself and F-Secure, they went ahead and silently patched this by adding a signature for the PoC file. After analysis the patch proved to be incomplete, by adding a PE header in front of a PDF file (with a PDF extension) detection is still evaded and the exploit still triggers when opening the file with Adobe.


A professional reaction to a vulnerability notification is a way to measure the maturity of a vendor in terms of security. Kaspersky is given a grace period of two (2) weeks to reply to my notifications. Failure to do so will result in details of all the other reported bugs be released in two (2) weeks.


III. Impact
The heuristics can be bypassed by a special formated PDF "container", this leads to the bypass of malicious PDF files, old or new. This is not a bypass that relies on archive structures but relies on evading certain
code paths in the av engine "through various means".

A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

Note: Certain vendors confirmed this to bypass their engine at runtime.


IV. Timeline
DD/MM/YYYY

  • 15/05/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date.

    no reply (note - there where receipt acknowledgements (nothing more) for 2 other reports but not this one )

  • xx/05/2009 : F-Secure sends the same sample to Kaspersky

  • 01/06/2009 : Re-sending the proof of concept, description the terms under which I cooperate and the planned disclosure date. No reply
  • 03/06/2009 : F-Secure informs me that the sample was submitted to Kaspersky

  • 03/06/2009 : Informed F-secure to communicate with Kaspersky and please ask them to reply to my notifications.

  • 03/06/2009 : Kaspersky Moscow visits my blog, searches for "AVP" and "Kaspersky". Obviously they received both reports.
    No reply

  • 04/06/2009 : I discovered that the PoC file is now detected by the latest Kaspersky update.
  • 04/06/2009 : Discovered that adding a few bytes evades the AV engine again
    +5minutes

  • 09/06/2009 : Release of this advisory on the blog, tweet. Hoping for any reaction prior to sending it to bugtraq et al.

  • 13/06/2009 : Release to Bugtraq et al and start of grace period.

  • 14/06/2009 : Kaspersky sends me an e-mail and promises to get back with updates.

    Note (in all fairness): Kaspersky US did acknowledge the receipt of 2 other bugs,however they couldn't provide any information or any reaction as Moscow simply didn't answer them.
[1] http://osvdb.org/vendor/1/Kaspersky%20Labs
[2] http://blog.didierstevens.com/2009/05/14/malformed-pdf-documents/
[3] http://blog.didierstevens.com/2008/04/09/quickpost-about-the-physical-and-logical-structure-of-pdf-files/

1 comments

Phil said... @ 19 July, 2009 00:53

Hi,
just to say congrats for this great job about AV detection issues, and that I support your ethics (http://phil-secu.over-blog.net/article-33978778.html).
Cheers.

Post a Comment