SecuriTeam - Ikarus Multiple Generic Evasions Using CAB ZIP or RAR Files

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

The parsing engine can be bypassed by a specially crafted and formated RAR (Headflags and Packsize),ZIP (Filelenght) and CAB (Filesize) archive.

Credit:
The information has been provided by Thierry Zoller.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* IKARUS virus utilities
* IKARUS myM@ilWall
* IKARUS Content Wall
* IKARUS security.proxy

Immune Systems:
* IKARUS engine version 1.1.58

The bug results in denying the engine the possibility to inspect code within the CAb,RAR,ZIP archives. There is no inspection of content at all.

A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

Disclosure Timeline:
23/03/2009 : Send proof of concept (ZIP), description the terms under which I cooperate and the planned disclosure date.
04/04/2009 : Send proof of concept (RAR)
07/04/2009 : Ikarus acknowledges receipt, patching Dev builds has begun 10/04/2009 : Resending ZIP PoC
13/04/2009 : Submitting CAB PoC
17/04/2009 : Ikarus demands to delay disclosure
01/05/2009 : Ikarus states that it has started Q&A for the new builds
03/06/2009 : Ikarus informs me that they started deploying the patches/updates Credit will be given on a website to come.
09/06/2009 : Release of this advisory.

blog comments powered by Disqus

	HP Data Protector LogBackupLocationStatus SQL Injection Vulnerabilty
	InduSoft WebStudio Unauthenticated Operations Code Execution Vulnerabilityy
	InduSoft WebStudio CEServer Operation 0x15 Code Execution Vulnerability
	HP Data Protector Notebook Extension RequestCopy SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension GetPolicies SQL Injection Vulnerabilty
	GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability
	HP Data Protector Notebook Extension LogClientHealth SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension LogCopyOperation SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension FinishedCopy SQL Injection Vulnerabilty
	Novell ZENWorks Software Packaging ISGrid.Grid2.1 Text Parameter Code Execution Vulnerabilit
	Adobe Reader BMP Image RLE Decoding Code Execution Vulnerability
	Apple QuickTime H264 Matrix Conversion Code Execution Vulnerability
	Apple QuickTime FLC Delta Decompression Code Execution Vulnerability
	Apple Quicktime PnPixPat PatType 3 Parsing Code Execution Vulnerability