From the low-hanging-fruit-department
Ikarus multiple generic evasions (CAB,RAR,ZIP)
CHEAP Plug :
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed
Release mode: Coordinated but limited disclosure.
Ref : [TZO-31-2009] - Ikarus multiple evasions through CAB,RAR,ZIP
WWW : http://blog.zoller.lu/2009/06/subscribe-to-rss-feed-in-case-you-are.html (sorry)
Vendor : http://www.ikarus.at
Status : Patched (after engine version 1.1.58)
CVE : none provided
Credit : t.b.a
OSVDB vendor entry: Ikarus is not listed as a vendor in OSVDB
Security notification reaction rating : good
Notification to patch window : 77 days
Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products :
- IKARUS virus utilities (scan-time)
- IKARUS myM@ilWall
- IKARUS Content Wall
- IKARUS security.proxy
Ikarus Software GMBH is an Anti-virus company based in Austria.
The parsing engine can be bypassed by a specially crafted and formated
RAR (Headflags and Packsize),ZIP (Filelenght) and CAB (Filesize) archive.
The bug results in denying the engine the possibility to inspect
code within the CAb,RAR,ZIP archives. There is no inspection of content
A general description of the impact and nature of AV Bypasses/evasions
can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
IV. Disclosure time-line
23/03/2009 : Send proof of concept (ZIP), description the terms under which
I cooperate and the planned disclosure date.
04/04/2009 : Send proof of concept (RAR)
07/04/2009 : Ikarus acknowledges receipt, patching Dev builds has begun
10/04/2009 : Resending ZIP PoC
13/04/2009 : Submitting CAB PoC
17/04/2009 : Ikarus demands to delay disclosure
01/05/2009 : Ikarus states that it has started Q&A for the new builds
03/06/2009 : Ikarus informs me that they started deploying the patches/updates
Credit will be given on a website to come.
09/06/2009 : Release of this advisory.