AOH :: HP Unsorted F :: BT-21180.HTM

Fprot generic bypass (TAR)



Fprot generic bypass (TAR)
Fprot generic bypass (TAR)



________________________________________________________________________

                From the low-hanging-fruit-department
                 F-prot generic TAR bypass / evasion
________________________________________________________________________

Shameless plug :
------------------------------------------------------------------------
You are invited to join the 2009 edition of HACK.LU, a small but 
concentrated luxemburgish security conference. 
More information : http://www.hack.lu - CFP is open, sponsorship is still 
possible and warmly welcomed.
------------------------------------------------------------------------

Release mode: Coordinated but limited disclosure.
Ref         : [TZO-33-2009] - F-prot TAR bypass / evasion
WWW : http://blog.zoller.lu/2009/06/advisory-frisk-f-prot-evasion-tar.html 
Vendor : http://www.f-prot.com 
Status      : Current version not patched, next engine version will be patched
              in version 4.5.0. Vendor didn't reply if said version is
              now in ciculation.
CVE         : none provided
Credit      : Given in the History file 
OSVDB vendor entry: none [1]
Security notification reaction rating : better than last time
Notification to patch window : n+1 (no patch for current build)

Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html 

Affected products (all versions up to 4.5.0 which is not released yet) 
- F-PROT AVES (High: complete bypass of engine)
- F-PROT Antivirus for Windows (unknown)
- F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine) 
- F-PROT Antivirus for Exchange (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine)
- F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine)
- F-PROT Milter - for example sendmail (High: complete bypass of engine)
- F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete bypass of engine)
- F-Prot Antivirus for Linux x86 Workstations (unknown)

OEM Partners affected :
- Autentium  (all versions)

OEM Partners with unknown status :
- Sendmail, Inc.
- G-Data


I. Background
~~~~~~~~~~~~~
Quote: "FRISK Software International, established in 1993, is one of the 
world's leading companies in antivirus research and product development.

FRISK Software produces the hugely popular F-Prot Antivirus products range 
offering unrivalled heuristic detection capabilities. In addition to this, 
the F-Prot AVES managed online e-mail security service filters away the 
nuisance of spam e-mail as well as viruses, worms and other malware that 
increasingly clog up inboxes and threaten data security."


II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
TAR archive. 

III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at : 
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html 

The bug results in denying the engine the possibility to inspect
code within TAR archives. There is no inspection of the content
at all and hence the impossibility to detect malicious code.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
28/04/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date.
        
             No reply
                         
11/05/2009 : Resending PoC file asking to please reply

20/05/2009 : Frisk replies that it was unable to extract the PoC file with
             "tar" and hence see no bypass.
                         
20/05/2009 : Inform Frisk that the PoC extracts fine with Winzip                         

22/05/2009 : Frisk send a lenghty e-mail re-discussing bypasses/evasions

22/05/2009 : I state that I will not discuss this topic any further, everything
             has been said and written multiple times. Either Frisk patches
             or they do not.
                         
22/05/2009 : Frisk states that the changes to the parsing code are minor
             i.e not relying on the checksum. The patch will be included
             in the next releaes candidate 4.5.0 and credit will be given
             in the History file
        
Comment: I give it some time to 4.5.0 to be released.
                         
10/06/2009 : Ask Frisk if 4.5.0 has been released now

             no reply
                         
14/06/2009 : Release of this advisory

[1] F-prot is encouraged to leave their security contact details at
http://osvdb.org/vendor/1/Frisk%20Software%20International 
to facilate communication and reduce lost reports.





The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.