Subscribe to the RSS feed in case you are interested in updates

Release mode: Coordinated but limited disclosure.
Ref : [TZO-33-2009] - F-prot TAR bypass / evasion
Vendor :
Status : Current version not patched, next engine version will be patched
CVE : none provided
Credit : Given in the History file
OSVDB vendor entry: none [1]
Security notification reaction rating : better than last time
Notification to patch window : n+1 (no patch for current build)

Disclosure Policy :

Affected products (all versions up to 4.5.0 which is not released yet)
  • F-PROT AVES (High: complete bypass of engine)
  • F-PROT Antivirus for Windows (unknown)
  • F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine)
  • F-PROT Antivirus for Exchange (High: complete bypass of engine)
  • F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine)
  • F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine)
  • F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine)
  • F-PROT Milter - for example sendmail (High: complete bypass of engine)
  • F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete bypass of engine)
  • F-Prot Antivirus for Linux x86 Workstations (unknown)

OEM Partners affected :
  •   Autentium (all versions)
OEM Partners with unknown status :
  • Sendmail, Inc.
  • G-Data

I. Background
Quote: "FRISK Software International, established in 1993, is one of the  world's leading companies in antivirus research and product development.

FRISK Software produces the hugely popular F-Prot Antivirus products range  offering unrivalled heuristic detection capabilities. In addition to this, the F-Prot AVES managed online e-mail security service filters away the nuisance of spam e-mail as well as viruses, worms and other malware that  increasingly clog up inboxes and threaten data security."

II. Description
The parsing engine can be bypassed by a specially crafted and formated  TAR archive.

III. Impact
The bug results in denying the engine the possibility to inspect  code within TAR archives. There is no inspection of the content at all and hence the impossibility to detect malicious code.

A general description of the impact and nature of AV Bypasses/evasions  can be read at :

IV. Disclosure timeline
  • 28/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date.

    No reply

  • 11/05/2009 : Resending PoC file asking to please reply

  • 20/05/2009 : Frisk replies that it was unable to extract the PoC file with "tar" and hence see no bypass.
  • 20/05/2009 : Inform Frisk that the PoC extracts fine with Winzip 
  • 22/05/2009 : Frisk send a lenghty e-mail re-discussing bypasses/evasions
  • 22/05/2009 : I state that I will not discuss this topic any further, everythinghas been said and written multiple times. Either Frisk patches or they do not.
  • 22/05/2009 : Frisk states that the changes to the parsing code are minor i.e not relying on the checksum. The patch will be included in the next releaes candidate 4.5.0 and credit will be given in the History file
Comment:  I give it some time to 4.5.0 to be released.

  • 10/06/2009 : Ask Frisk if 4.5.0 has been released now

    no reply

  • 14/06/2009 : Release of this advisory

F-prot is encouraged to leave their security contact details at to facilate communication and reduce lost reports.


Post a Comment