[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[TZO-08-2009] Bitdefender generic bypass/evasion
- To: NTBUGTRAQ <NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx>, bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>, <info@xxxxxxxxxxxxx>, <vuln@xxxxxxxxxxx>, <cert@xxxxxxxx>, <nvd@xxxxxxxx>, <cve@xxxxxxxxx>
- Subject: [TZO-08-2009] Bitdefender generic bypass/evasion
- From: Thierry Zoller <Thierry@xxxxxxxxx>
- Date: Fri, 17 Apr 2009 16:08:49 +0200
______________________________________________________________________
From the low-hanging-fruit-department - Bitdefender bypass/evasion
______________________________________________________________________
Release mode: Coordinated but limited disclosure.
Ref : TZO-082009 - Bitdefender Evasion CAB
WWW :
http://blog.zoller.lu/2009/04/bitdefender-generic-bypassevasion-cab.html
Vendor : http://www.bitdefender.com
Security notification reaction rating : Good
Notification to patch window : 1 day (!)
Intersting backround statistics:
Time required to coordinate disclosure and write the advisory: 2 hours
Time required to find the bug : 10 minutes
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products :
- Bitdefender Antivirus 2009 (pre update 13/04/2009)
- Bitdefender Internet Security 2009 (pre update 13/04/2009)
- Bitdefender Total Security 2009 (pre update 13/04/2009)
- Bitdefender Small Office Security (pre update 13/04/2009)
- Bitdefender for Fileservers (pre update 13/04/2009)
- Bitdefender for Samba (pre update 13/04/2009)
- Bitdefender for Sharepoint (pre update 13/04/2009)
- Bitdefender Security for Exchange (pre update 13/04/2009)
- Bitdefender Security for Mailservers (pre update 13/04/2009)
- Bitdefender for ISA Servers (pre update 13/04/2009)
- Bitdefender Client security (pre update 13/04/2009)
Bundles:
- BitDefender Business Security (pre update 13/04/2009)
- Bitdefender Antivirus for Unices (pre update 13/04/2009)
- Bitdefender Corporate Security (pre update 13/04/2009)
- Bitdefender SBS Security (pre update 13/04/2009)
I. Background
~~~~~~~~~~~~~
BitDefender™ provides security solutions to satisfy the protection
requirements of today's computing environment, delivering effective
threat management for over 41 million home and corporate users in more
than 100 countries. BitDefender, a division of SOFTWIN, is headquartered
in Bucharest, Romania and has offices in Tettnang, Germany, Barcelona,
United Kingdom, Denmark, Spain and Fort Lauderdale (FL), USA.
II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
CAB archive. Details are currently witheld due to other vendors that are
in process of deploying patches.
III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
The bug results in denying the engine the possibility to inspect
code within the CAB archive. There is no inspection of the content
at all.
IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
13/04/2009 : Send proof of concept, description the terms under which
I cooperate and the planned disclosure date
14/04/2009 : Bitdefender responds that the problem was fixed by an
automatic update on the 13/04/2009
16/04/2009 : Asked what product line and version has been affected and
a CVE number.
15/04/2009 : Bitdefender states that "All our products are affected
by this problem. We don't have a CVE number".
17/04/2009 : Release of this advisory