Multiple Vendor Antivirus Products Malformed ZIP Archive Scan Evasion Vulnerability
BID:12793
Info
Multiple Vendor Antivirus Products Malformed ZIP Archive Scan Evasion Vulnerability
| Bugtraq ID: | 12793 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 14 2005 12:00AM |
| Updated: | Feb 20 2007 08:36PM |
| Credit: | Discovery is credited to Dr. Peter Bieringer. Thierry Zoller reported that this vulnerability affects AVG. |
| Vulnerable: |
Trend Micro Interscan Viruswall (Linux) 3.1 Symantec AntiVirus Corporate Edition 8.0 Sophos Sweep for Linux 3.91 Norman Virus Control 5.7 Ikarus Ikarus 2.32 Hacksoft TheHacker 5.8 Frisk Software F-Prot Antivirus for Windows Frisk Software F-Prot Antivirus for Solaris Frisk Software F-Prot Antivirus for Linux Frisk Software F-Prot Antivirus for Exchange Frisk Software F-Prot Antivirus for BSD Clam Anti-Virus ClamAV 0.85.1 Clam Anti-Virus ClamAV 0.85 Clam Anti-Virus ClamAV 0.84 rc2 Clam Anti-Virus ClamAV 0.84 rc1 Clam Anti-Virus ClamAV 0.84 Clam Anti-Virus ClamAV 0.83 Clam Anti-Virus ClamAV 0.82 Clam Anti-Virus ClamAV 0.81 Clam Anti-Virus ClamAV 0.80 rc4 Clam Anti-Virus ClamAV 0.80 rc3 Clam Anti-Virus ClamAV 0.80 rc2 Clam Anti-Virus ClamAV 0.80 rc1 Clam Anti-Virus ClamAV 0.80 Clam Anti-Virus ClamAV 0.70 Clam Anti-Virus ClamAV 0.68 -1 Clam Anti-Virus ClamAV 0.68 Clam Anti-Virus ClamAV 0.67 Clam Anti-Virus ClamAV 0.65 Clam Anti-Virus ClamAV 0.60 Clam Anti-Virus ClamAV 0.54 Clam Anti-Virus ClamAV 0.53 Clam Anti-Virus ClamAV 0.52 Clam Anti-Virus ClamAV 0.51 AVG AVG Anti-Virus 7.1.308 AVG AVG Anti-Virus 7.0.251 AVG AVG Anti-Virus 7.0 AVG AVG Anti-Virus 6.0.710 |
| Not Vulnerable: | |
Discussion
Multiple Vendor Antivirus Products Malformed ZIP Archive Scan Evasion Vulnerability
Multiple antivirus products from various vendors are reported prone to a vulnerability that may allow potentially malformed ZIP archives to bypass detection.
This issue arises when an affected application processes a ZIP archive containing potentially malicious files with specially crafted filenames.
This issue could allow a malicious ZIP archive to bypass detection and to be executed by a recipient.
This vulnerability reportedly affects Trend Micro InterScan VirusWall for Linux version 3.1. AVG Anti-Virus is reported affected as well.
Sophos Sweep is being removed as a vulnerable package since the vendor has reported that the correct procedure for scanning archives is to use the '-all' switch instead of '-archive'. The application is not affected if '-all' switch is used to scan a malicious archive.
This BID will be updated when more information becomes available.
Multiple antivirus products from various vendors are reported prone to a vulnerability that may allow potentially malformed ZIP archives to bypass detection.
This issue arises when an affected application processes a ZIP archive containing potentially malicious files with specially crafted filenames.
This issue could allow a malicious ZIP archive to bypass detection and to be executed by a recipient.
This vulnerability reportedly affects Trend Micro InterScan VirusWall for Linux version 3.1. AVG Anti-Virus is reported affected as well.
Sophos Sweep is being removed as a vulnerable package since the vendor has reported that the correct procedure for scanning archives is to use the '-all' switch instead of '-archive'. The application is not affected if '-all' switch is used to scan a malicious archive.
This BID will be updated when more information becomes available.
Exploit / POC
Multiple Vendor Antivirus Products Malformed ZIP Archive Scan Evasion Vulnerability
An exploit is not required.
Proof-of-concept examples are available from the following location:
ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/
An exploit is not required.
Proof-of-concept examples are available from the following location:
ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/
Solution / Fix
Multiple Vendor Antivirus Products Malformed ZIP Archive Scan Evasion Vulnerability
Solution:
Symantec is currently investigating this issue. Updated versions of the decomposer engine in Symantec products should not be vulnerable to this issue. More information will be provided when further details about fixed packages are available.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
Solution:
Symantec is currently investigating this issue. Updated versions of the decomposer engine in Symantec products should not be vulnerable to this issue. More information will be provided when further details about fixed packages are available.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
References
Multiple Vendor Antivirus Products Malformed ZIP Archive Scan Evasion Vulnerability
References:
References:
- Sophos Homepage (Sophos)
- Trend Micro Homepage (Trend Micro)
- Unfiltered escape sequences in filenames contained in ZIP archives (Dr. Peter Bieringer)
- Anti-Virus Malformed ZIP Archives flaws [UPDATE] (Thierry Zoller