SecuriTeam - McAfee generic PDF detection bypass

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

Improper parsing of the PDF structure leads to evasion of detection of malicious PDF documents at scantime and runtime.

Credit:
The information has been provided by Thierry Zoller.
The original article can be found at: http://www.g-sec.lu/mcafee-pdf-bypass.html

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* - McAfee GroupShield
* McAfee LinuxShield
* McAfee NetShield for NetWare
* McAfee PortalShield
* McAfee Total Protection Service (SaaS)
* McAfee Virex
* McAfee Total Protection 2009
* McAfee Internet Security
* McAfee VirusScan USB
* McAfee VirusScan Enterprise
* McAfee VirusScan Enterprise Linux
* McAfee VirusScan Enterprise for SAP
* McAfee VirusScan Enterprise for Storage
* McAfee VirusScan Commandline
* Mcafee SecurityShield for Microsoft ISA Server
* Mcafee Security for Microsoft Sharepoint
* Mcafee Security for Email Servers
* McAfee Email Gateyway
* McAfee Total Protection for Endpoint
* McAfee Active Virus Defense
* McAfee Active VirusScan

Known PDF exploits/malware may evade signature detection, 0day exploits may evade heuristics.

Patch Availability:
Patches dsitributed through automatic updates

This has been tested with several malicious PDF files and represents a generic evasion of all PDF signatures and heuristics. General information about evasion/bypasses can be found at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

Disclosure Timeline:
01.06.2009 - Reported
20.10.2009 - McAfee informed us that they published the advisory on their website < waiting for others vendors to patch >
27.10.2009 - G-SEC releases this advisory

blog comments powered by Disqus

	HP Data Protector LogBackupLocationStatus SQL Injection Vulnerabilty
	InduSoft WebStudio Unauthenticated Operations Code Execution Vulnerabilityy
	InduSoft WebStudio CEServer Operation 0x15 Code Execution Vulnerability
	HP Data Protector Notebook Extension RequestCopy SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension GetPolicies SQL Injection Vulnerabilty
	GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability
	HP Data Protector Notebook Extension LogClientHealth SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension LogCopyOperation SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension FinishedCopy SQL Injection Vulnerabilty
	Novell ZENWorks Software Packaging ISGrid.Grid2.1 Text Parameter Code Execution Vulnerabilit
	Adobe Reader BMP Image RLE Decoding Code Execution Vulnerability
	Apple QuickTime H264 Matrix Conversion Code Execution Vulnerability
	Apple QuickTime FLC Delta Decompression Code Execution Vulnerability
	Apple Quicktime PnPixPat PatType 3 Parsing Code Execution Vulnerability