Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Security App Flaws :: bt-21181.htm

Clamav generic bypass (RAR,CAB,ZIP)



Clamav generic bypass (RAR,CAB,ZIP)
Clamav generic bypass (RAR,CAB,ZIP)



________________________________________________________________________

                From the low-hanging-fruit-department
                   Clamav generic evasion (RAR,CAB,ZIP)
________________________________________________________________________

Shameless plug :
------------------------------------------------------------------------
You are invited to join the 2009 edition of HACK.LU, a small but 
concentrated luxemburgish security conference. 
More information : http://www.hack.lu - CFP is open, sponsorship is still 
possible and warmly welcomed.
------------------------------------------------------------------------

Release mode: Coordinated but limited disclosure.
Ref         : [TZO-40-2009] - Clamav generic evasion (RAR,CAB,ZIP)
WWW : http://blog.zoller.lu/2009/05/advisory-clamav-generic-bypass.html 
Vendor : http://www.clamav.net & 
http://www.sourcefire.com/products/clamav 
Status      : Patched (in version 0.95.2)
CVE         : none provided
Credit      : Discovered - froggz 2005, Zoller 2007, ROGER Mickael 2009
Security notification reaction rating : good


Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html 

Affected products : 
- ClamAV below 0.95.2


Affected systems:
- MACOSX server,
- IBM Secure E-mail Express Solution for System
http://www.clamav.net/about/who-use-clamav/ 

I. Background
~~~~~~~~~~~~~
Quote: "Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, 
designed especially for e-mail scanning on mail gateways. It provides 
a number of utilities including a flexible and scalable multi-threaded
daemon, a command line scanner and advanced tool for automatic 
database updates. The core of the package is an anti-virus engine 
available in a form of shared library. "

II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by manipulating RAR,ZIP archives 
in a "certain way" that the Clamav engine cannot extract the content but
the end user is able to. 

III. Impact
~~~~~~~~~~~
To know more about the impact and type of "evasion", I updated the 
description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html 

IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY

No timeline, nothing particular to note.







TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH