Release mode    : Coordinated Disclosure
Ref             : [TZO-23-2020] - AVAST Generic Archive Bypass (ZIP)
Vendor          : AVAST
Status          : Patched - version 12 and newer
CVE             : CVE-2020-9399
Dislosure Policy: https://caravelahq.com/b/policy/20949


Affected Products

=================

  • Avast Antivirus Pro Plus below v.12
  • Avast Antivirus Pro below v.12
  • Avast Antivirus für Linux below v.12


I. Background

=============
Avast is dedicated to creating a world that provides safety and privacy for all, no matter who you are, where you are, or how you connect. Avast is one of the largest security companies in the world using next-gen technologies to fight cyber attacks in real time. We differ from other next-gen companies in that we have an immense cloud-based machine learning engine that receives a constant stream of data from our hundreds of millions of users, which facilitates learning at unprecedented speeds and makes our artificial intelligence engine smarter and faster than anyone else’s.


II. Description

----------------------------
The parsing engine supports the ZIP archive format. The parsing engine can be bypassed  by specifically manipulating an ZIP Archve so that it can be accessed by an end-user but not the Anti-Virus software. The AV engine is unable to scan the container and gives  the file a "clean" rating. 

I may release further details after all known vulnerable vendors have patched their engines.



III. Impact

----------------------------
Impacts depends on the contextual use of the product and engine within the organisation of a customer. Gateway Products (Email, HTTP Proxy etc) may allow the file through unscanned and give it a clean bill of health. Server side AV software will not be able to discover any code or sample contained within this ISO file and it will not raise suspicion even  if you know exactly what you are looking for (Which is for example great to hide your implants or Exfiltration/Pivot Server).

There is a lot more to be said about this bug class, so rather than bore you with it in

this advisory I provide a link to my 2009 blog post 
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

IV. Patch / Advisory

----------------------------


  • 11.10.2019 - Submission
  • 24.02.2020 - Confirmation by Avast that these have been patched."The fix was released in virus definitions 200114-0 (except for very old program versions 5.x - 11.x where it hasn't been released yet).So any program (version 12 and newer) with up-to-date virus definitions has the updated unpacker."