Multiple Vendor Antivirus Products Malformed ZIP Attachment Scan Evasion Vulnerability
BID:12771
Info
Multiple Vendor Antivirus Products Malformed ZIP Attachment Scan Evasion Vulnerability
| Bugtraq ID: | 12771 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 10 2005 12:00AM |
| Updated: | Mar 10 2005 12:00AM |
| Credit: | Discovery is credited to Bipin Gautam. |
| Vulnerable: |
Sybari Antigen for Exchange 7.5.1314 Softwin BitDefender 7.0 McAfee VirusScan 4.5.1 McAfee VirusScan 4.5 McAfee VirusScan 4.0.3 McAfee VirusScan 4.0 H+BEDV AntiVir Windows Workstation 6.30 .0.5 AVG AVG Anti-Virus 7.1.308 |
| Not Vulnerable: | |
Discussion
Multiple Vendor Antivirus Products Malformed ZIP Attachment Scan Evasion Vulnerability
Multiple antivirus products from various vendors are reported prone to a vulnerability that may allow potentially malformed ZIP archives to bypass detection.
This issue arises when an affected application processes a ZIP archive with an invalid CRC-32 checksum. It should be noted that affected software may possibly detect a malicious file in the archive when it is decompressed or scanned manually.
The discoverer of this vulnerability has reported that this issue affects H+BEDV AntiVir, AVG Anti-Virus, Sybari Antigen for Microsoft Exchange, and products by McAfee, and BitDefender. Symantec products were not found to be vulnerable to the issue.
**Update: Symantec believes that the impact of this issue is low. This is because an archive handler processing an archive that possesses a corrupt CRC-32 checksum will fail, reporting that the archive is corrupt. This would mean that a malicious file contained in such an archive would not be directly accessible to a target recipient user.
Alternatively, if the CRC-32 checksum is corrected manually by the recipient user and the file is extracted, it will likely be detected by client-side Anti-Virus solutions during the file extraction routine. This detection will likely occur before the malicious file is directly processed by the end user.
Multiple antivirus products from various vendors are reported prone to a vulnerability that may allow potentially malformed ZIP archives to bypass detection.
This issue arises when an affected application processes a ZIP archive with an invalid CRC-32 checksum. It should be noted that affected software may possibly detect a malicious file in the archive when it is decompressed or scanned manually.
The discoverer of this vulnerability has reported that this issue affects H+BEDV AntiVir, AVG Anti-Virus, Sybari Antigen for Microsoft Exchange, and products by McAfee, and BitDefender. Symantec products were not found to be vulnerable to the issue.
**Update: Symantec believes that the impact of this issue is low. This is because an archive handler processing an archive that possesses a corrupt CRC-32 checksum will fail, reporting that the archive is corrupt. This would mean that a malicious file contained in such an archive would not be directly accessible to a target recipient user.
Alternatively, if the CRC-32 checksum is corrected manually by the recipient user and the file is extracted, it will likely be detected by client-side Anti-Virus solutions during the file extraction routine. This detection will likely occur before the malicious file is directly processed by the end user.
Exploit / POC
Multiple Vendor Antivirus Products Malformed ZIP Attachment Scan Evasion Vulnerability
An exploit is not required to leverage this issue.
A proof of concept example ZIP archive is available from the following location:
http://www.geocities.com/visitbipin/gpbf.zip
An exploit is not required to leverage this issue.
A proof of concept example ZIP archive is available from the following location:
http://www.geocities.com/visitbipin/gpbf.zip
Solution / Fix
Multiple Vendor Antivirus Products Malformed ZIP Attachment Scan Evasion Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Multiple Vendor Antivirus Products Malformed ZIP Attachment Scan Evasion Vulnerability
References:
References:
- AVG Anti-Virus Homepage (AVG)
- Home Page (Sybari)
- Home Page (BitDefender)
- McAfee Homepage (McAfee)
- Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. (Bipin Gautam)
- Vendor Homepage (H+BEDV)
- Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. ([email protected])