Release mode: Coordinated but limited disclosure.
Ref : [TZO-22-2009] - Avira Antivir generic PDF evasion (heuristics)
Vendor : http://www.avira.com
Status : Patched (Engine-Version: AV7 7.9.0.168 / AV8/9: 8.2.0.168)
CVE : none provided
Credit : t.b.a
OSVDB vendor entry: none [1]
Security notification reaction rating : good
Notification to patch window : 10 days

Disclosure Policy :http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :
  •  Avira AntiVir Free
  • Avira AntiVir Premium
  • Avira AntiVir Premium Security Suite
  • Avira AntiVir Professional (Desktop)
  • Avira AntiVir Server
  • Avira AntiVir Exchange
  • Avira AntiVir SharePoint
  • Avira AntiVir ISA Server
  • Avira AntiVir MIMEsweeper
  • Avira AntiVir for KEN! 4
  • Avira AntiVir Virus Scan Adapter for SAP NetWeaver®
  • Avira AntiVir Professional (Unix)
  • Avira AntiVir Server (Unix)
  • Avira AntiVir MailGate
  • Avira AntiVir WebGate

I. Background

Quote: "Avira AntiVir is a reliable free anti virus solution, that constantly and rapidly scans your computer for malicious programs such as viruses, Trojans, backdoor programs, hoaxes, worms, dialers etc. Monitors
every action executed by the user or the operating system and reacts promptly when a malicious program is detected. AV-Comparatives e.V. have chosen Avira AntiVir Premium as the best anti-virus solution of 2008"


II. Description

The heuristics can be bypassed by a special formated PDF "container", this leads to the bypass of malicious PDF files, old or new. This is not a bypass that relies on archive structures but relies on evading certain code paths in the av engine "through various means".

III. Impact

To know more about the impact and this "type of  evasion", I updated the description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html 

Interestingly this opens the possibility to evade at scan time and run-time.


IV. Disclosure timeline

DD/MM/YYYY
  • 08/05/2009 : Send proof of concept, description the terms under whichI cooperate and the planned disclosure date.

  • 10/05/2009 : Avira acknowledges receipt.

  • 11/05/2009 : Avira states that the internal development build has been patched and that the public updates are to be rolled out end of the week.

  • 18/05/2009 : Avira informs me that "we already released the fixed engine to the public on friday, 15th May, 17:59 pm CET: Engine-Version: AV7 7.9.0.168 / AV8/9: 8.2.0.168

  • 18/05/2009 : Release of this advisory.


[1]
Avira is encouraged to leave their security contact details at
http://osvdb.org/vendor/1/AVIRA%20GmbH to facilate communication and reduce lost reports.

0 comments

Post a Comment