Advisory : Panda generic evasion (TAR)
| 0 comments ]

Why are there two panda advisories instead of one ? See
http://blog.zoller.lu/2009/05/100th-post-what-about-big-guys.html

Release mode: Coordinated but limited disclosure.
Ref : TZO-25-2009 - Panda generic evasion (TAR)
Vendor : http://www.pandasecurity.com
Status : Patched (Through hotfix and automatic update)
CVE : none provided
OSVDB listing: No [1]
Credit :
http://www.pandasecurity.com/homeusers/support/card?id=80060&idIdioma=2
http://www.pandasecurity.com/homeusers/support/card?id=60039&idIdioma=2
http://www.pandasecurity.com/homeusers/support/card?id=70025&idIdioma=2
Security notification reaction rating : Good
Notification to patch window : +-22 days

Disclosure Policy :http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :
  • Global Protection 2009 (Hotifx)
  • Internet Security 2009 (Hotifx)
  • Panda Antivirus Pro 2009 (Hotfix)
  • Panda Security for Business with Exchange
  • Panda Security for Business
  • Panda Security for Enterprise
  • Panda GateDefender Integra (patched through automatic updates)
  • Panda GateDefender Performa (patched through automatic updates)
  • Panda AdminSecure (patched thorugh automatic updates)

SaaS
  • Panda Managed Office Protection
  • TrustLayer Mail
Quote : "What virus protection guarantees does TrustLayer offer? With respect to the antivirus filtering service, TrustLayer offers a 100% virus-free contractual guarantee."

I. Background

Quote: "Panda Security is one of the world's leading creators and developers of technologies, products and services for keeping clients' IT resources free from viruses and other computer threats at the lowest possible Total Cost of Ownership."

II. Description

The parsing engine can be bypassed by a specially crafted TAR archive.

III. Impact
A general description of the impact and nature of AV Bypasses/evasions
can be read at :http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within TAR archives. There is no inspection of the content at all and hence the impossibility to detect malicious code.

IV. Disclosure timeline

DD/MM/YYYY
  • 28/04/2009 : Sent proof of concept TAR, description the terms under which I cooperate and the planned disclosure date

  • 07/05/2009 : Resent POC, description and terms

  • 11/05/2009 : Inform Panda that his is my last attempt to contact them and that I will publish the information on the 20th of Mai.

  • 11/05/2009 : Panda informes me that they are still evaluating and fixing release dates and asks for more time.

  • 11/05/2009 : Panda states that they send me a fix for the TAR bug in order to cross check it fixes the problem.

  • 21/05/2009 : Panda informs me of the release of hotfixes and affected Products.

  • 22/05/2009 : Ask for clarification on affected products

  • 22/05/2009 : Release of this advisory.



0 comments

Post a Comment