|
Brought to you by:
Suppliers of:
|
|
|
| |
FRISK Software produces "the hugely popular F-Prot Antivirus products range offering unrivalled heuristic detection capabilities".
The F-Prot Antivirus parsing engine can be bypassed by a specially crafted and formated CAB (Filesize) archive. The bug results in denying the engine the possibility to inspect code within CAB archives. There is no inspection of the content at all and hence the impossibility to detect malicious code. |
| |
Credit:
The information has been provided by Thierry Zoller.
The original article can be found at: http://blog.zoller.lu/2009/04/advisory-f-prot-frisk-cab-bypass.html
|
| |
Vulnerable Systems:
* F-PROT AVES
* F-PROT Antivirus
* F-PROT Milter
A description of several evasion techniques can be found at: A case for AV bypasses/evasions
Disclosure Timeline:
10/04/2009 : Send proof of concept, description the terms under which Thierry Zoller cooperated and planned disclosure date.
15/04/2009 : FRISK responds that they were unable to find any archive program that is able to extract the file and that some archive programs tested suffer from an integer overflow extracting the file.
15/04/2009 : Inform FRISK that the sample should extract fine.
20/04/2009 : FRISK responds that they were unable to find any archive program that is able to extract the file.
20/04/2009 : Inform FRISK that the sample should extract fine.
22/04/2009 : FRISK responds that they were unable to find any archive program that is able to extract the file. However it will be patched nonetheless "being low-priority, it will not be added to the 4.4 branch. In other words, the fix will be included in the next engine released."
22/04/2009 : Sending FRISK a slightly modified POC (same field, different value) that extracts fine and still bypasses the engine. Ask vendor to confirm that the new engine catches the POC. No Reply
27/04/2009 : Resending previous mail asking to check whether the patch has been effectively closed No Reply 08/05/2009 : Release of this advisory.
|
|
|
|
|
