|
Brought to you by:
Suppliers of:
|
|
|
| |
| The parsing engine can be bypassed by a specially crafted and formated TAR archive. |
| |
Credit:
The information has been provided by Thierry Zoller.
The original article can be found at: http://blog.zoller.lu/2009/06/advisory-frisk-f-prot-evasion-tar.html
|
| |
Vulnerable Systems:
* FRISK F-PROT AVES
* FRISK F-PROT Antivirus for Windows on Mail Servers
* FRISK F-PROT Antivirus for Exchange
* FRISK F-PROT Antivirus for Linux x86 Mail Servers
* FRISK F-PROT Antivirus for Linux x86 File Servers
* FRISK F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers
* FRISK F-PROT Milter - for example sendmail
* FRISK F-PROT Antivirus for Linux on IBM zSeries (S/390)
Immune Systems:
* FRISK F-PROT Antivirus version 4.5.0
The bug results in denying the engine the possibility to inspect code within TAR archives. There is no inspection of the content at all and hence the impossibility to detect malicious code.
Disclosure Timeline:
28/04/2009 : Send proof of concept
11/05/2009 : Resending PoC file asking to please reply
20/05/2009 : Frisk replies that it was unable to extract the PoC file with "tar" and hence see no bypass. 20/05/2009 : Inform Frisk that the PoC extracts fine with Winzip
22/05/2009 : Frisk send a lenghty e-mail re-discussing bypasses/evasions
22/05/2009 : Thierry states that he will not discuss this topic any further, everything has been said and written multiple times. Either Frisk patches or they do not.
22/05/2009 : Frisk states that the changes to the parsing code are minor i.e not relying on the checksum. The patch will be included in the next releaes candidate 4.5.0 and credit will be given in the History file Comment: Thierry gives it some time to 4.5.0 to be released.
10/06/2009 : Ask Frisk if 4.5.0 has been released now no reply
14/06/2009 : Release of this advisory
|
|
|
|
|
