[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] [TZO-40-2009] Clamav generic bypass (RAR, CAB, ZIP)
- To: bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, info@xxxxxxxxxxxxx, vuln@xxxxxxxxxxx, <cert@xxxxxxxx>, <nvd@xxxxxxxx>, <cve@xxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] [TZO-40-2009] Clamav generic bypass (RAR, CAB, ZIP)
- From: Thierry Zoller <Thierry@xxxxxxxxx>
- Date: Tue, 16 Jun 2009 13:13:19 +0200
________________________________________________________________________
From the low-hanging-fruit-department
Clamav generic evasion (RAR,CAB,ZIP)
________________________________________________________________________
Shameless plug :
------------------------------------------------------------------------
You are invited to join the 2009 edition of HACK.LU, a small but
concentrated luxemburgish security conference.
More information : http://www.hack.lu - CFP is open, sponsorship is still
possible and warmly welcomed.
------------------------------------------------------------------------
Release mode: Coordinated but limited disclosure.
Ref : [TZO-40-2009] - Clamav generic evasion (RAR,CAB,ZIP)
WWW : http://blog.zoller.lu/2009/05/advisory-clamav-generic-bypass.html
Vendor : http://www.clamav.net &
http://www.sourcefire.com/products/clamav
Status : Patched (in version 0.95.2)
CVE : none provided
Credit : Discovered - froggz 2005, Zoller 2007, ROGER Mickael 2009
Security notification reaction rating : good
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products :
- ClamAV below 0.95.2
Affected systems:
- MACOSX server,
- IBM Secure E-mail Express Solution for System
http://www.clamav.net/about/who-use-clamav/
I. Background
~~~~~~~~~~~~~
Quote: "Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX,
designed especially for e-mail scanning on mail gateways. It provides
a number of utilities including a flexible and scalable multi-threaded
daemon, a command line scanner and advanced tool for automatic
database updates. The core of the package is an anti-virus engine
available in a form of shared library. "
II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by manipulating RAR,ZIP archives
in a "certain way" that the Clamav engine cannot extract the content but
the end user is able to.
III. Impact
~~~~~~~~~~~
To know more about the impact and type of "evasion", I updated the
description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
No timeline, nothing particular to note.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/