Reference : [TZO-2009-1]-Avira Antivir
Products :

  • Avira Antivr Free
  • Avira AntiVir Premium
  • Avira Premium Security Suite
  • Avira AntiVir Professional
  • Avira AntiVir for KEN! 4
  • Avira AntiVir SharePoint
  • Avira AntiVir Virus Scan Adapter for SAP NetWeaver®
  • Avira AntiVir MailGate
  • Avira AntiVir Exchange
  • Avira AntiVir MIMEsweeper
  • Avira AntiVir Domino
  • Avira AntiVir WebGate
  • Avira WebGate Suite
  • Avira AntiVir ISA Server
  • Avira AntiVir MIMEsweeper

    Avira requested the following products to be removed from the list, for the reason that they are license models and not products per se, it is arguable whether they should be listed or not, since the licenses (most likely) include the vulnerable products:

    AVIRA WebGate Suite - Reason: is a License Model
    AVIRA SmallBusiness Suite -> Reason: is a License Model
    AVIRA Business Bundle -> Reason: is a License Model
    AVIRA AntiVir NetWork Bundle -> Reason: is a License Model
    AVIRA AntiVir NetGate Bundle -> Reason: is a License Model
    AVIRA AntiVir GateWay Bundle -> Reason: is a License Model
    AVIRA AntiVir Campus (for Education) -> Reason: is a License Model

    Vendors and Products using the Avira Engine :
    Important : The impact of this flaw on those devices has not been tested nor confirmed to exist, there is however reason to believe that the flaw existed in this products aswell.

  • AXIGEN Mail Server
  • Clearswift Mimesweeper
  • GeNUGate and GeNUGate Pro (optional addon)
  • IQ.Suite

    I. Background
    Avira is a leading worldwide provider of self-developed protection solutions
    for professional and private use. The company belongs to the pioneers in
    this sector with over twenty years experience.

    The protection experts have numerous company locations throughout Germany and cultivate partnerships in Europe, Asia and America. Avira has more than 180 employees at their main office in Tettnang near Lake Constance and is one of the largest employers in the region. There are around 250 people employed worldwide whose commitment is continually being confirmed by awards. A significant contribution to protection is the Avira AntiVir Personal which is being used by private users a million times over.

    AV-Comparatives e.V. have chosen Avira AntiVir Premium as the best anti-virus solution of 2008

    II. Description
    By manipulating certain fields inside a RAR archive and attacker might trigger these exceptions. The attack vector should be rated as remote as an attachement to an e-mail is enough.

    *Anybody else noticed that the amount of details in most advisories have become less than usefull ?*

    III. Impact
    In some cases the impact is a Denial of Service condition in others to an invalid read size of 4 bytes which again in some cases lead to an null pointer dereference.

    The RAR parser inside the module leads to various errors whose exploitability index is rated "I don't have time for this now - so let's say 'maybe'" also sometimes known as "I lack the time and/or the skill to do so".

    0131cad9 8b10 mov edx,dword ptr [eax]

    EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
    ExceptionAddress: 0131cad9 (aepack!module_get_api+0x00020ed9)
    ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000000
    NumberParameters: 2
    Parameter[0]: 00000000
    Parameter[1]: 00000268
    Attempt to read from address 00000268

    FAULTING_THREAD: 00000144

    PROCESS_NAME: avscan.exe
    OVERLAPPED_MODULE: Address regions for 'AVREP' and 'rcimage.dll' overlap

    READ_ADDRESS: 00000268
    LAST_CONTROL_TRANSFER: from 0131cb8c to 0131cad9

    WARNING: Stack unwind information not available. Following frames may be wrong.
    0194f5fc 0131cb8c 0115bbfc 00000003 00000100 aepack!module_get_api+0x20ed9
    0194f618 01319b96 0115bbfc 074cc4f4 00000002 aepack!module_get_api+0x20f8c
    0194f654 0131a45a 00000010 01157160 00000001 aepack!module_get_api+0x1df96
    0194f668 0131e7e0 000000d4 00f48ba8 011530d0 aepack!module_get_api+0x1e85a
    0194f68c 01318c35 01157160 00000010 011530d0 aepack!module_get_api+0x22be0
    00000000 00000000 00000000 00000000 00000000 aepack!module_get_api+0x1d035

    0131cad9 8b10 mov edx,dword ptr [eax]

    SYMBOL_NAME: aepack!module_get_api+20ed9
    MODULE_NAME: aepack
    IMAGE_NAME: aepack.dll
    STACK_COMMAND: ~2s ; kb

    FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_aepack.dll!module_get_api

    IV. Disclosure Timeline
    My personal Vulnerability Reaction and Notification rating for AVIRA on
    this issue (scale 1-10) : 9 (Very good)

    The Vulnerability notification policy i adhere to:

  • 17/12/2008 : Sent notice to the correct mail adress
  • 17/12/2008 : Avira achknowledges receipt
  • 17/12/2008 : Avira sends details of the root cause on the same day
    "The crash occurs in a heavily corrupted, generated RAR archive while
    extracting the contents of the 22nd file. We can't give any file names
    as they are non-printable characters."
  • 13/01/2009 : Avira notifies me that the issue was fixed with an update that shipped
    with AVPack on the 09/01/2009
  • 14/01/2009 : Avira states that all products have been affected except "Securityy
    Management Center" and the "Internet Update Manager". "Das bedeutet im
    Prinzip wirklich alle Produkte, ausser Produkte wie eben das Security
    Management Center oder der Internet Update Manager"
  • 14/01/2009 : Release of this advisory


    Post a Comment