Home page logo
/

bugtraq logo Bugtraq mailing list archives

[TZO-30-2009] Kaspersky and the silent patch that wasn't (PDF evasion, forced full disclosure)
From: Thierry Zoller <Thierry () Zoller lu>
Date: Sat, 13 Jun 2009 13:42:28 +0200

________________________________________________________________________

                    From the facepalm department
              Kaspersky and the silent fix that wasn't
                            PDF Evasion
________________________________________________________________________

Release mode: Forced disclosure
Ref         : [TZO-30-2009] - Kaspersky PDF evasion (Forced disclosure)
WWW         : http://blog.zoller.lu/2009/05/advisory-kaspersky-generic-pdf-evasion.html
Vendor      : http://www.kaspersky.com
Status      : Silent fix that doesn't work - No appropriate patch 
CVE         : none provided
Credit      : none given
OSVDB vendor entry: No [1]

Security notification reaction rating : Catastropic

Not only did the headquarter not answer, they (tried) to patch this
vulnerability silently, only to fail at it. See Timeline.

This is not the first time that Kaspersky did not answer but patched
bugs without credit, advisory or anything. This is however the last 
time I will not disclose, I am no longer part of an entity that tolerates
irresponsible non-disclosure. 

A professional reaction to a vulnerability notification is a way to measure 
the maturity of a vendor in terms of security. Kaspersky is given a grace 
period of two (2) weeks to reply to my notifications. Failure to do so will 
result in details of all the other reported bugs be released in two (2) weeks. 

Notification to patch window : x+n 
Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products (all versions) :
- Kaspersky Internet Security
- Kaspersky Anti-Virus
- Kaspersky Mobile Security
- Kaspersky Small Office Security
- Kaspersky Open Space Security
  - Kaspersky Business Space Security
  - Kaspersky Work Space Security
  - Kaspersky Enterprise Space Security
- Kaspersky Targeted Security
- Kaspersky® Anti-Virus for Microsoft ISA Server
- Kaspersky® Anti-Virus for Proxy Server
- Kaspersky® Anti-Virus for Check Point Firewall-1 
- Kaspersky® Anti-Virus for Windows Server
- Kaspersky® Anti-Virus for Windows Server Enterprise Edition
- Kaspersky® Anti-Virus for Novell NetWare
- Kaspersky® Anti-Virus for Linux File Server
- Kaspersky® Anti-Virus for Samba Server 
- Kaspersky® Security for Microsoft Exchange 2007
- Kaspersky® Security for Microsoft Exchange 2003
- Kaspersky® Anti-Virus for Lotus Notes/Domino 
- Kaspersky® Anti-Virus for Windows Workstation
- Kaspersky® Anti-Virus for Linux Workstation 
- Kaspersky® Anti-Virus for Linux Mail Server
- Kaspersky® Mail Gateway
- Kaspersky® Anti-virus for MIMEsweeper 

See notification and disclosure terms for details about this list.

I. Background
~~~~~~~~~~~~~
Quote: "We develop, produce and distribute information security solutions that 
protect our customers from IT threats and allow enterprises to manage risk. 
We provide products that protect information from viruses, hackers and spam 
for home users and enterprises and offer consulting services and technical 
support. "


II. Description
~~~~~~~~~~~~~~~
The PDF files are not parsed correctly, a PDF file starts with the magic
byte "%PDF" and ends with the magic byte "%%EOF", everything in between
those markers is parsed and interpreted. Furthermore PDF files are read from
the bottom to the top. 

Adobe Acrobat nor the FoxitReader care too much about the data that 
comes prior the magic byte, the kaspersky engine does, not only does
it care, it fails to detect the malware inside the PDF file.

I will spare you the details, a PDF file is bascialy a container that 
starts with %PDF and ends with %%EOF.

What follows are the details of this evasion, note this one is generic
and the easiest one, there are plenty more. What you read below is true
as amazing as it might seem, you can't have it more simple.

Example of a malicious PDF file [2]+[3] :

  %PDF
  Malicious content here
  %%EOF

Doing :

  Enter stuff here, like random text.
  %PDF
  Malicious content here
  %%EOF
  
This has the result that the malware is no longer being detected. 
Note: Not a single byte of the malware itself been altered, and strictly speaking
the content that represent a PDF file hasn't been changed at all.

This has been tested with several malicious PDF files and represents
a generic evasion of all PDF signatures and heuristics.

Kaspersky was given the PoC file directly through myself and F-Secure,  they
went ahead an patched this by adding a signature for the POC file, adding 
a PE header in front of a PDF file (with a PDF extension) still evades detection
and the exploit still triggers when opening the file with Adobe. Thus the
patch is flawed by design.

III. Impact
~~~~~~~~~~~
The heuristics can be bypassed by a special formated PDF "container", this
leads to the bypass of malicious PDF files, old or new. This is not a 
bypass that relies on archive structures but relies on evading certain 
code paths in the av engine "through various means".

A general description of the impact and nature of AV Bypasses/evasions
can be read at :  http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

Note: Certain vendors confirmed this to bypass their engine at runtime.

IV. Timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
15/05/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date.
                         
             no reply

xx/05/2009 : F-Secure sends the same sample to Karspersky                        
                         
01/06/2009 : Re-sending the proof of concept, description the terms under which 
             I cooperate and the planned disclosure date.

             no reply
                         
03/06/2009 : F-Secure informs me that the sample was submitted to Kaspersky

03/06/2009 : Informed F-secure to communicate with Kaspersky and please ask 
             them to reply to my notifications.

03/06/2009 : Kaspersky Moscow visits my blog, searches for "AVP" and "Kaspersky". 
             Obviously they received both reports. (see website for pic)

             No reply

04/06/2009 : Discovered that the POC file is now detected by the latest Kaspersky 
             update.
                         
04/06/2009 : Discovered that adding a few bytes evades the engine again. 
+5minutes    

09/06/2009 : Release of this advisory on the blog, tweet. Hoping for any reaction
             prior to sending it to bugtraq
                         
13/06/2009 : Release to Bugtraq et al.   

Note (in all fairness): Kaspersky US did acknowledge the receipt of 2 other bugs,
however they  couldn't provide any information or any reaction as Moscow simply 
didn't answer them. 
                 
[1] http://osvdb.org/vendor/1/Kaspersky%20Labs
[2] http://blog.didierstevens.com/2009/05/14/malformed-pdf-documents/
[3] http://blog.didierstevens.com/2008/04/09/quickpost-about-the-physical-and-logical-structure-of-pdf-files/


  By Date           By Thread  

Current thread:
  • [TZO-30-2009] Kaspersky and the silent patch that wasn't (PDF evasion, forced full disclosure) Thierry Zoller (Jun 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault