This summary is not available. Please click here to view the post.

Introduction :
Flaws in the way F-Secure software handles ZIP and RAR data compression archives could allow an attacker to execute remote code on users' systems and also to bypass F-Secure's antivirus-scanning capabilities.

Details :
I found mutliple vulnerabilities within various AV Engines, F-Secure are the first to actually publish a real advisory, others fixed the bugs silently or put a small notice in a change_log. I will however not publish more details about the findings as of yet, there are too many AV engines vulnerable to similar issues and I am going to wait until most of them have patched the flaws until I exactly dislclose my findings.
http://www.f-secure.com/security/fsc-2006-1.shtml

Rain Forest Puppy once defined a "Responsible Disclosure Practice", I adhere to it.

[Update]
The Story has been posted on SecurityFocus, News.com, Washington Post, Heise, Suedeutsche, ZDnet, Computerworld, and various others. Special Thanks to Mikko for giving me Credit.

Introduction :
"ZangoCash (formerly LOUDcash) is recognized around the world as one of the best pay-per-install affiliate programs on the Internet. ZangoCash is a subsidiary of 180solutions which also includes Zango and MetricsDirect . Every day, 7,500-10,000 ZangoCash affiliates distribute our software to users who are then connected with more than 6,000 MetricsDirect advertisers."

Details :

After the acknowledgement of an License Agreement, during Startup, the bundled EXE contacts several servers and downloads the required Adware components. The downloaded components are not checked for integrity or authenticity and are executed as soon as they are downloaded.

The Following procedures are exploitable :

1. Initial Install
2. Auto-Update function

The condition is exploitable in the following scenarios :

1. You have legitimate control over the DNS server
2. You have compromised a DNS server
3. You forge a cache poisoning attack against a vulnerable DNS server
4. You have access to the machine and change the HOST file

Redirecting static.zangocash.com to an IP address under your Control and creating the respective V-host allows you to install any type of executable on the machine where zango is being installed or currently is installed.

Release mode: Forced release, vendor has not replied.
Ref : TZO-112009 - Fortinet Generic Evasion
Vendor : http://www.fortinet.com
Security notification reaction rating : Catastrophic

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html


Affected products :
- t.b.a (Vendor has not reacted, please see below)

As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive and that the test environment mimics the production environment.

I. Background

Quote: "Fortinet is a leading provider of network security appliances and the leader of the unified threat management (UTM) market worldwide. Fortinet's award-winning portfolio of security gateways, subscription services, and complementary products delivers the highest level of network, content, and application security for enterprises of all sizes, managed service providers, and telecommunications carriers, while reducing total cost of ownership and providing a flexible, scalable path for expansion. "

II. Description
The parsing engine can be bypassed by a specially crafted and formatted archive file. Details are currently witheld due to other vendors that are in process of deploying patches.

A professional reaction to a vulnerability notification is a way to measure the maturity of a vendor in terms of security. Fortinet is given a grace period of two (2) weeks to reply to my notification. Failure to do so will result in POC being released in two (2) weeks.

Fortinet (as well as others) is advised to leave a specific security contact at [1] in order to simplify getting in contact with them.

As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive.

III. Impact
A general description of the impact and nature of AV Bypasses/evasions can be read at :http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within the archive. There is no inspection of the content at all.


IV. Disclosure time line

• 09/03/2009 Send proof of concept, description the terms under which I cooperate and the planned disclosure date. There is no security adress listed at [1] and hence took the industry standard security contacts addresses secure@ and security@.
  
  No reply.

• 14/03/2009 : Resending specifying this is the last attempt to disclose responsibly.
  
  No reply.

• 15/04/2009 : Fortinet published advisories for third party vendors with the address dontreply-secresearch@fortinet.com, used secresearch@fortinet.com to resend advisory.
  
  No reply.

• 17/04/2009 : Last attempt to contact, information sent to info@foritnet.com
  
  No reply, as of time of publishing

• 17/04/2009 : Release of this advisory and begin of grace period.
  
  
• 17/04/2009 : Fortinet replied instantly, investigation on going

[1] http://osvdb.org/vendor/1/Fortinet%20Inc_

Release mode: Coordinated but limited disclosure.

Ref : TZO-092009 - Nod32 Evasion RAR

Vendor : http://www.eset.com/

Security notification reaction rating : Good enough

Notification to patch window : 14 days

Interesting background statistics:
Time required to coordinate disclosure and write the advisory: 2,5 hours
Time required to find the bug : 25 minutes

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :

• ESET Smart Security 4 (before 15/04/2009)
• ESET NOD32 Antivirus 4 (before 15/04/2009)
• ESET Smart Security 4 Business Edition (before 15/04/2009)
• ESET NOD32 Antivirus 4 Business Edition (before 15/04/2009)
• ESET NOD32 Antivirus for Exchange Server (before 15/04/2009)
• ESET Mail Security (before 15/04/2009)
• ESET NOD32 Antivirus for Lotus Domino Server (before 15/04/2009)
• ESET File Security (before 15/04/2009)
• ESET Novell Netware (before 15/04/2009)
• ESET DELL STORAGE SERVERS (before 15/04/2009)
• ESET NOD32 Antivirus for Linux gateway devices (before 15/04/2009)
• Command line version : NOD32 prior to 3.0.677

I. Background

Quote:"ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET NOD32® Antivirus, is the flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security."
http://www.eset.com/products/eset_performance_advantages.php


II. Description

The parsing engine can be bypassed by a specially crafted and formated RAR archive. Details are currently witheld due to other vendors that are in process of deploying patches.

III. Impact

A general description of the impact and nature of AV Bypasses/evasions can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within the RAR archive. There is no inspection of the content at all.


IV. Disclosure timeline

• 04/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date

No reply

• 09/04/2009 : Resend notification with an indication this will be the last attempt to responsibly disclose.
  
  
• 09/04/2009 : Eset acknowledges receipt and previous receipt and apologises for not being able to answer due to an internal miscommunication. Patch will be deployed on the 15th of April.

• 09/04/2009 : Ask where changelog/advisory will be posted to
  
  
• 09/04/2009 : Eset responds that credit will be included in changelogs
  http://www.eset.com/support/updates.php?pageno=3
  
  
• 17/04/2009 : Release of this advisory