Subscribe to the RSS feed in case you are interested in updates

Release mode: Coordinated but limited disclosure.
Ref         : [TZO-31-2009] - Ikarus multiple evasions through CAB,RAR,ZIP
Vendor      : http://www.ikarus.at     
Status      : Patched (after engine version 1.1.58)
CVE         : none provided
Credit      : t.b.a
OSVDB vendor entry: Ikarus is not listed as a vendor in OSVDB
Security notification reaction rating : good
Notification to patch window : 77 days
Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html


Affected products :
  • IKARUS virus utilities  (scan-time)
  • IKARUS myM@ilWall
  • IKARUS Content Wall
  • IKARUS security.proxy
I. Background
Ikarus Software GMBH is an Anti-virus company based in Austria.

II. Description
The parsing engine can be bypassed by a specially crafted and formated RAR (Headflags and Packsize),ZIP (Filelenght) and CAB (Filesize) archive.

III. Impact
The bug results in denying the engine the possibility to inspect code within the RAR, ZIP archives. There is no inspection of content at all.

A general description of the impact and nature of AV Bypasses/evasions can be read at :  http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html


IV. Disclosure time-line
DD/MM/YYYY
  • 23/03/2009 : Send proof of concept (ZIP), description the terms under which I cooperate and the planned disclosure date

  • 04/04/2009 : Send proof of concept (RAR)

  • 07/04/2009 : Ikarus acknowledges receipt, patching Dev builds has begun10/04/2009 : Resending ZIP PoC

  • 13/04/2009 : Submitting CAB PoC

  • 17/04/2009 : Ikarus demands to delay disclosure

  • 01/05/2009 : Ikarus states that it has started Q&A for the new builds

  • 03/06/2009 : Ikarus informs me that they started deploying the patches/updates and that credit will be given on a website to come

  • 09/06/2009 : Release of this advisory
        

0 comments

Post a Comment