|
|
|
|
| |
| Remote exploitation of an exceptional error condition in multiple vendors' anti-virus software allows attackers to bypass security protections by evading virus detection. |
| |
Credit:
The information has been provided by iDEFENSE Security Labs.
The original article can be found at: http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities
|
| |
Vulnerable Systems:
* McAfee, Computer Associates, Kaspersky, SophosEset and RAV latest scan engines
Immune Systems:
* McAfee Antivirus 4320 engine DAT
* CA InoculateIT 6.0 after update from vendor site
* eTrust Antivirus r6.0, 7.0 and 7.1 after update from vendor site
* eTrust Antivirus for the Gateway r7.0, 7.1 (all modules and platforms) after update from vendor site
* eTrust Secure Content Manager (all releases) after update from vendor site
* eTrust Intrusion Detection (all releases) after update from vendor site
* EZ-Armor versions 2.0,2.3 and 2.4 after update from vendor site
* EZ-Antivirus versions 6.1, 6.2 and 6.3 after update from vendor site
* BrightStor ARCserve Backup (BAB) r11.1 for Windows after update from vendor site
* Eset through archive-support module version 1.020, automatic update
* Symantec scanning engine
* Bitdefender scanning engine
* Trend Micro scanning engine
* Panda scanning engine
Note: Update links are available further below in the 'Vendor Status' section of this article.
CVE Information:
CAN-2004-0932 - McAfee
CAN-2004-0933 - Computer Associates
CAN-2004-0934 - Kaspersky
CAN-2004-0937 - Sophos
CAN-2004-0935 - Eset
CAN-2004-0936 - RAV
The problem specifically exists in the parsing of .zip archive headers. The .zip file format stores information about compressed files in two locations - a local header and a global header. The local header exists just before the compressed data of each file, and the global header exists at the end of the .zip archive.
It is possible to modify the uncompressed size of archived files in both the local and global header without affecting functionality. This has been confirmed with both
WinZip and Microsoft Compressed Folders. An attacker can compress a malicious payload and evade detection by some anti-virus software by modifying the uncompressed size within the local and global headers to zero.
Impact
Successful exploitation allows remote attackers to pass malicious payloads within a compressed archive to a target without being detected. Most anti-virus engines have the ability to scan content packaged with compressed archives. As such, users with up-to-date anti-virus software are more likely to open attachments and files if they are under the false impression that the archive was already scanned and found to not contain a virus.
Vendors Status:
Shown below are vendor responses for this issue, affecting their respective product.
McAfee
"The McAfee scan engine has always been a market leader in detection of viruses, worms and Trojans within compressed and archived file formats. As such the mechanism used for the detection of such payloads has been designed to ensure all archive files are thoroughly scanned at each nested level in the file to ensure that all appropriate parts of the file are scanned.
McAfee is aware of a proof of concept exploitation in Zip archive payloads where information in the local header part of the archive is modified.
The local header exists just before the compressed data of each file. It is possible to modify the uncompressed size of archived files in the local header without affecting functionality. Consequently there is the potential for a malicious payload to be hidden and avoid anti-virus detection by modifying the uncompressed size within the local headers to zero.
The techniques used by McAfee to analyze Zip archives have allowed a comprehensive solution for the Zip file format vulnerability to be provided to protect customers.
The latest update for the current 4320 McAfee Anti-Virus Engine DATS drivers (Version 4398 released on Oct 13th 2004) further enhances the protection afforded to McAfee customers against such potential exploits.
A DATS Driver update issued in Version 4397 (October 6th 2004) provided early protection for the same potential exploit targeted specifically for Gateway and Command line scanning.
If a detection of this type of exploit is found it will trigger the message "Found the Exploit-Zip Trojan!" to be displayed.
Updates for the DAT files mentioned above can be located at the following links:
Home (Retail) Users:
http://download.mcafee.com/uk/updates/updates.asp
Business (Enterprise) Users:
http://www.mcafeesecurity.com/uk/downloads/updates/dat.asp?id=1
It should be noted that whilst McAfee take the potential for this exploit to be used maliciously seriously, to date no evidence of such an exploit has been discovered. McAfee has provided additional protection through the DATS driver update however with usage of the comprehensive suite of anti-virus protection strategies provided by McAfee products, MacAfee are confident that this exploit presented no additional threat to its customers.
It should be noted that with McAfee on-access scanning active, such modification for malicious purposes to hide payloads only delays eventual detection - McAfee on-access detection will detect any payload with malicious intent as malware.
McAfee continues to focus on ensuring that customers receive maximum protection and provide a rapid response to all potential vulnerabilities thus ensuring customer satisfaction."
Computer Associates
"With the assistance of iDEFENSE, Computer Associates has identified a medium-risk vulnerability in a shared component of eTrust Antivirus which may allow a specially crafted .ZIP file to bypass virus detection. A number of CA products embed this technology including solutions from eTrust, Brightstor and others.
Customers are encouraged to visit the CA support web site below for more information about this vulnerability, a list of products and platforms that are effected, and remediation procedures.
http://supportconnectw.ca.com/public/ca_common_docs/arclib_vuln.asp
At Computer Associates, every reported exposure is handled with the utmost urgency. We strive to ensure that no customer is left in a vulnerable situation."
Kaspersky
(09/24/2004)
"...this bug for scanners based on 3.x-4.x engines will be fixed in next (not current) cumulative update.
For scanners based on new 5.0 engine we recommend you waiting for the release of our next maintenance pack. We are going to release it in October."
Eset
"The vulnerability was caused by the fact that some archive compression/decompression software (including Winzip) incorrectly handles compressed files with deliberately damaged header fields, thus, in-fact, allowing creation of the damaged archive files, that could be automatically repaired on the victims computer without notifying the user.
Eset has made appropriate modifications to archive-scanning code to handle such kind of archives immediately after receiving notification from iDEFENSE. These changes are contained in archive-support module version 1.020, released on 16th September 2004 at 21:00 CET. The update was available for all clients with Automatic Virus-Signatures Update set."
Disclosure Timeline:
09/16/2004 Initial vendor notification
09/16/2004 iDEFENSE clients notified
10/18/2004 Coordinated public disclosure
|
|
|
|
|
|
|
|
|
|
