Home page logo
/

bugtraq logo Bugtraq mailing list archives

Evasion attacks expoliting file-parsing vulnerabilities in antivirus products
From: sumanj () gmail com
Date: Mon, 19 Mar 2012 04:22:03 GMT

Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All 
affected products are command-line versions of 
the AVs.

----------------------------
Vulnerability Descriptions
----------------------------

1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes 
   evades detection.

   Affected products -
   ClamAV 0.96.4, CAT-QuickHeal 11.00
  
   CVE no - 
   CVE-2012-1419

2. Specially crafted infected POSIX TAR files with "\7fELF" as first 4 bytes 
   evades detection.

   Affected products -
   CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, 
   Fortinent 4.2.254.0, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, 
   Microsoft 1.6402, NOD32 5795, Norman 6.06.12, Panda 10.0.2.7, 
   Rising 22.83.00.03

   CVE no - 
   CVE-2012-1420

3. Specially crafted infected POSIX TAR files with "MSCF" as first 4 bytes 
   evades detection.

   Affected products -
   CAT-QuickHeal 11.00, Norman 6.06.12, Rising 22.83.00.03, 
   Symantec 20101.3.0.103

   CVE no - 
   CVE-2012-1421

4. Specially crafted infected POSIX TAR files with "ITSF" as first 4 bytes 
   evades detection.

   Affected products -
   CAT-QuickHeal 11.00, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03

   CVE no - 
   CVE-2012-1422

5. Specially crafted infected POSIX TAR files with "MZ" as first 2 bytes 
   evades detection.

   Affected products -
   Command 5.2.11.5, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, Fortinent 4.2.254.0, 
   Ikarus T3.1.1.97.0, K7AntiVirus 9.77.3565, NOD32 5795, Norman 6.06.12, 
   PCTools 7.0.3.5, Rising 22.83.00.03, VirusBuster 13.6.151.0

   CVE no - 
   CVE-2012-1423

6. Specially crafted infected POSIX TAR files with "\19\04\00\10" at offset 8
   evades detection.

   Affected products -
   Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Jiangmin 13.0.900, Norman 6.06.12, 
   PCTools 7.0.3.5, Sophos 4.61.0

   CVE no - 
   CVE-2012-1424


7. Specially crafted infected POSIX TAR files with "\50\4B\03\04" as the first
   4 bytes evades detection.

   Affected products -
   AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1,
   Fortinet 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, 
   Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, 
   NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Symantec 20101.3.0.103, 
   TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004 

   CVE no - 
   CVE-2012-1425

8. Specially crafted infected POSIX TAR files with "\42\5A\68" as the first
   3 bytes evades detection.

   Affected products -
   CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, 
   K7AntiVirus 9.77.3565, Norman 6.06.12, Rising 22.83.00.03

   CVE no - 
   CVE-2012-1426


9. Specially crafted infected POSIX TAR files with "\57\69\6E\5A\69\70" at 
   offset 29 evades detection.

   Affected products -
   CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0

   CVE no - 
   CVE-2012-1427

10. Specially crafted infected POSIX TAR files with "\4a\46\49\46" at offset 6
   evades detection.
   
   Affected products -
   CAT-QuickHeal 11.00,  Norman 6.06.12, Sophos 4.61.0

   CVE no - 
   CVE-2012-1428

11. Specially crafted infected ELF files with "ustar" at offset 257
   evades detection.

   Affected products -
   BitDefender 7.2, Comodo 7424, Emsisoft 5.1.0.1, eSafe 7.0.17.0, 
   F-Secure 9.0.16160.0, Ikarus T3.1.1.97.0, McAfee 5.400.0.1158, 
   McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01 

   CVE no - 
   CVE-2012-1429
12. Specially crafted infected ELF files with "\19\04\00\10" at offset 8 evades
   detection.

   Affected products -
   BitDefender 7.2, Comodo 7424, eSafe 7.0.17.0, F-Secure 9.0.16160.0, 
   McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, 
   Sophos 4.61.0, Rising 22.83.00.03

   CVE no - 
   CVE-2012-1430
13. Specially crafted infected ELF files with "\4a\46\49\46" at offset 6 evades
   detection.

   Affected products -
   BitDefender 7.2, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, 
   F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee-GW-Edition 2010.1C, 
   nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03

   CVE no - 
   CVE-2012-1431

14. Specially crafted infected MS EXE files with "\57\69\6E\5A\69\70" at offset
   29 evades detection.

   Affected products -
   Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7

   CVE no - 
   CVE-2012-1432

15. Specially crafted infected MS EXE files with "\4a\46\49\46" at offset
   6 evades detection.

   Affected products -
   AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, 
   Ikarus T3.1.1.97.0, Panda 10.0.2.7

   CVE no - 
   CVE-2012-1433

16. Specially crafted infected MS EXE files with "\19\04\00\10" at offset
   8 evades detection.

   Affected products -
   AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, 
   Panda 10.0.2.7
   
   CVE no - 
   CVE-2012-1434

17. Specially crafted infected MS EXE files with "\50\4B\4C\49\54\45" at 
   offset 30 evades detection.
   
   Affected products - 
   AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, 
   Ikarus T3.1.1.97.0, Panda 10.0.2.7

   CVE no - 
   CVE-2012-1435

18. Specially crafted infected MS EXE files with "\2D\6C\68" at 
   offset 2 evades detection.
 
   Affected products - 
   AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, 
   Ikarus T3.1.1.97.0, Panda 10.0.2.7

   CVE no - 
   CVE-2012-1436

19. Specially crafted infected MS Office files with "\50\4B\53\70\58" at 
   offset 526 evades detection.
   
   Affected products - 
   Comodo 7425
   
   CVE no - 
   CVE-2012-1437

20. Specially crafted infected MS Office files with "ustar" at 
   offset 257 evades detection.

   Affected products - 
   Comodo 7425, Sophos 4.61.0 

   CVE no - 
   CVE-2012-1438

21. 'padding' field in ELF files is parsed incorrectly. 
    If an infected ELF file's padding field is incremented by 1 it evades
    detection.    

   Affected products - 
   eSafe 7.0.17.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7

   CVE no - 
   CVE-2012-1439

22. 'identsize' field in ELF files is parsed incorrectly. 
    If an infected ELF file's identsize field is incremented by 1 it evades
    detection.    

   Affected products - 
   Norman 6.06.12, eSafe 7.0.17.0, eTrust-Vet 36.1.8511, Fortinet 4.2.254.0, 
   Panda 10.0.2.7

   CVE no - 
   CVE-2012-1440

23. 'e_ip' and 'e_res' field in MS EXE files are parsed incorrectly.  
    If any of these fields in an infected MS EXE file is incremented by 1 
    it evades detection.    

   Affected products - 
   Prevx 3.0

   'e_minalloc', 'e_res2','e_cparhdr', 'e_crlc', 'e_lfarlc','e_maxalloc',
    'e_oeminfo', 'e_ovno', 'e_cs', 'e_csum','e_sp', 'e_ss', 'e_cblp' and 
    'e_oemid' fields in MS EXE files are parsed incorrectly.  
    If any of these fields in an infected MS EXE file is incremented by 1 
    it evades detection.    

   Affected products - 
   eSafe 7.0.017.0, Prevx 3.0


   CVE no - 
   CVE-2012-1441

24. 'class' field in ELF files is parsed incorrectly.  
    If an infected ELF file's class field is incremented by 1 it evades
    detection.

   Affected products - 
   CAT-QuickHeal 11.00, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, 
   eSafe 7.0.017.0, Kaspersky 7.0.0.125, F-Secure 9.0.16160.0, 
   Sophos 4.61.0, Antiy-AVL 2.0.3.7, Rising 22.83.00.03, Fortinet 4.2.254.0, 
   Panda 10.0.2.7

   CVE no - 
   CVE-2012-1442

25. Infected RAR files with initial two bytes set to 'MZ' can be fixed by the 
    user and correctly extracted. Such a file evades detection.  
    
   Affected products -
   ClamAV 0.96.4, Rising 22.83.00.03, CAT-QuickHeal 11.00, GData 21, 
   Symantec 20101.3.0.103, Command 5.2.11.5, Ikarus T3.1.1.97.0, 
   Emsisoft 5.1.0.1, PCTools 7.0.3.5, F-Prot 4.6.2.117, 
   VirusBuster 13.6.151.0, Fortinent 4.2.254.0, Antiy-AVL 2.0.3.7, 
   K7AntiVirus 9.77.3565, TrendMicro-HouseCall 9.120.0.1004,Kaspersky 7.0.0.125 
   Jiangmin 13.0.900. Microsoft 1.6402, Sophos 4.61.0, NOD32 5795, AntiVir 7.11.1.163, 
   Norman 6.06.12, McAfee 5.400.0.1158, Panda 10.0.2.7, McAfee-GW-Edition 2010.1C, 
   TrendMicro 9.120.0.1004, Comodo 7424, BitDefender 7.2, eSafe 7.0.17.0, F-Secure 9.0.16160.0
   nProtect 2011-01-17.01, AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, Avast 4.8.1351.0, 
   Avast5 5.0.677.0, VBA32 3.12.14.2   

   CVE no - 
   CVE-2012-1443

26. 'abiversion' field in ELF files is parsed incorrectly.  
    If an infected ELF file's abiversion field is incremented by 1 it evades
    detection.

   Affected products - 
   eSafe 7.0.017.0, Prevx 3.0, Fortinet 4.2.254.0, Panda 10.0.2.7

   CVE no - 
   CVE-2012-1444

27. 'abi' field in ELF files is parsed incorrectly.  
    If an infected ELF file's abi field is incremented by 1 it evades
    detection.

   Affected products - 
   eSafe 7.0.017.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7

   CVE no - 
   CVE-2012-1445

28. 'encoding' field in ELF files is parsed incorrectly.  
    If an infected ELF file's encoding field is incremented by 1 it evades
    detection.

   Affected products - 
   CAT-QuickHeal 11.00, McAfee 5.400.0.1158, Symantec 20101.3.0.103, 
   Norman 6.06.12, eSafe 7.0.017.0, Kaspersky 7.0.0.125, 
   McAfee-GW-Edition 2010.1C, Sophos 4.61.0, eTrust-Vet 36.1.8511, 
   Antiy-AVL 2.0.3.7, PCTools 7.0.3.5, Rising 22.83.00.03, Fortinet 4.2.254.0,
   Panda 10.0.2.7

   CVE no - 
   CVE-2012-1446

29. 'e_version' field in ELF files is parsed incorrectly.  
    If an infected ELF file's e_version field is incremented by 1 it evades
    detection.

   Affected products -
    Fortinet 4.2.254.0, eSafe 7.0.017.0, DrWeb 5.0.2.03300, Panda 10.0.2.7

   CVE no - 
   CVE-2012-1447

30. 'cbCabinet' field in CAB files is parsed incorrectly.  
    If an infected CAB file's cbCabinet field is incremented by 1 it evades
    detection.

   Affected products -
   CAT-QuickHeal 11.00, TrendMicro 9.120.0.1004, Ikarus T3.1.1.97.0
   TrendMicro-HouseCall 9.120.0.1004, Emsisoft 5.1.0.1 

   CVE no - 
   CVE-2012-1448

31. 'vMajor' field in CAB files is parsed incorrectly.  
    If an infected CAB file's vMajor field is incremented by 1 it evades
    detection.

   Affected products -
   NOD32 5795, Rising 22.83.00.03
   
   CVE no - 
   CVE-2012-1449

32. 'reserved3' field in CAB files is parsed incorrectly.  
    If an infected CAB file's reserved field is incremented by 1 it evades
    detection.

   Affected products -
   Emsisoft 5.1.0.1, Sophos 4.61.0, Ikarus T3.1.1.97.0
   
   CVE no - 
   CVE-2012-1450

33. 'reserved2' field in CAB files is parsed incorrectly.  
    If an infected CAB file's reserved2 field is incremented by 1 it evades
    detection.

   Affected products -
   Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0
   
   CVE no - 
   CVE-2012-1451

34. 'reserved1' field in CAB files is parsed incorrectly.  
    If an infected CAB file's reserved field is incremented by 1 it evades
    detection.

   Affected products -
   Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, CAT-QuickHeal 11.00
   
   CVE no - 
   CVE-2012-1452

35. 'coffFiles' field in CAB files is parsed incorrectly.  
    If an infected CAB file's coffFiles field is incremented by 1 it evades
    detection.

   Affected products -
   McAfee 5.0.2.03300, TrendMicro-HouseCall 9.120.0.1004, Kaspersky 7.0.0.125, 
   Sophos 4.61.0, TrendMicro 9.120.0.1004, McAfee-GW-Edition 2010.1C,
   Emsisoft 5.1.0.1, eTrust-Vet 36.1.8511, Antiy-AVL 2.0.3.7, Microsoft 1.6402,
   Rising 22.83.00.03, Ikarus T3.1.1.97.0, Fortinet 4.2.254.0, Panda 10.0.2.7

   CVE no - 
   CVE-2012-1453

36. 'ei_version' field in ELF files is parsed incorrectly.  
    If an infected ELF file's version field is incremented by 1 it evades
    detection.

   Affected products -
   McAfee 5.0.02.03300, eSafe 7.0.17.0, McAfee-GW-Edition 2010.1C, 
   Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7

   CVE no - 
   CVE-2012-1454

37. 'vMinor' field in CAB files is parsed incorrectly.  
    If an infected CAB file's version field is incremented by 1 it evades
    detection.

   Affected products -
   NOD32 5795, Rising 22.83.00.03
 
   CVE no - 
   CVE-2012-1455

38. A specially crafted ZIP file, created by concatenating the contents 
   of a clean TAR archive and a virus-infected ZIP archive, is parsed 
   incorrectly and evades detection.

   Affected products -
   AVG 10.0.0.1190, CAT-QuickHeal 11.00, Comodo 7424, Emsisoft 5.1.0.1,
   eSafe 7.0.17.0, F-Prot 4.6.2.117,Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, 
   Jiangmin 13.0.900, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, 
   McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Panda 10.0.2.7, 
   Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, 
   TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004

   CVE no - 
   CVE-2012-1456

39. If the length field in the header of a file with test EICAR virus
   included into a TAR archive is set to be greater than the archive's total 
   length (1,000,000+original length in our experiments), the antivirus 
   declares the file to be clean but virus gets extracted correctly by the 
   GNU tar program.

   Affected products -
   AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, 
   AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, 
   Command 5.2.11.5, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117, 
   GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, 
   Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, 
   Microsoft 1.6402, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, 
   Rising 22.83.00.03, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, 
   TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 

   CVE no - 
   CVE-2012-1457

40. A Windows Compiled HTML Help (CHM) file is a set of HTML files,
   scripts, and images compressed using the LZX algorithm.
   For faster random accesses, the algorithm is reset at intervals
   instead of compressing the entire file as a single stream. The
   length of each interval is specified in the LZXC header.

   If an infected CHM file's header modified so that the reset interval
   is lower than in the original file, the antivirus declares the file
   to be clean. But the Windows CHM viewer hh.exe correctly decompresses
   the infected content located before the tampered header.

   Affected products -
   ClamAV 0.96.4, Sophos 4.61.0 

   CVE no - 
   CVE-2012-1458

41. In a POSIX TAR archive, each member file has a 512-byte header protected
   by a simple checksum. Every header also contains a file length field, which
   is used by the extractor to locate the next header in the archive.

   If a TAR archive contains two files: the first one is clean, while
   the second is infected with test EICAR virus - and it is modified such that 
   the length field in the header of the first, clean file to point into the 
   middle of the header of the second, infected file. The antivirus declares 
   the file to be clean but virus gets extracted correctly by the 
   GNU tar program.

   Affected products -
   AhnLab-V3 2011.01.18.00, AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, 
   Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, 
   CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Comodo 7424, 
   Emsisoft 5.1.0.1, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, 
   Fortinent 4.2.254.0, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, 
   K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, 
   McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, 
   Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7, 
   PCTools 7.0.3.5, Rising 22.83.00.03, Sophos 4.61.0, 
   Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, 
   TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, 
   VirusBuster 13.6.151.0 

   CVE no - 
   CVE-2012-1459

42. If an infected tar.gz archive is appended 6 random bytes at the end, 
    the antivirus declares the file to be clean but virus gets extracted by
    the gunzip+tar programs correctly by ignoring these bytes.

   Affected products -
   Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Command 5.2.11.5, 
   eSafe 7.0.17.0, F-Prot 4.6.2.117, Jiangmin 13.0.900, 
   K7AntiVirus 9.77.3565, VBA32 3.12.14.2 
   
   CVE no - 
   CVE-2012-1460

43. GZIP files can contain multiple compressed streams, which are assembled
    when the contents are extracted. If an infected .tar.gz file is broken 
    into two streams, the antivirus declares the infected .tar.gz file to 
    be clean while tar+gunzip extract the virus correctly

   Affected products -
   AVG 10.0.0.1190, BitDefender 7.2, Command 5.2.11.5, Emsisoft 5.1.0.1, 
   F-Secure 9.0.16160.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, 
   Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, 
   McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, 
   Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, 
   TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2 

   CVE no - 
   CVE-2012-1461

44. If an infected ZIP archive is prepended with 1024 random bytes at the 
   beginning, the antivirus declares the file to be clean but virus gets extracted
   by the unzip program correctly by skipping these bytes

   Affected products -
   AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, CAT-QuickHeal 11.00, 
   Emsisoft 5.1.0.1, eSafe 7.0.17.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, 
   Jiangmin 13.0.900, Kaspersky 7.0.0.125, Norman 6.06.12, Sophos 4.61.0, 
   Symantec 20101.3.0.103 

   CVE no - 
   CVE-2012-1462

45. In most ELF files, the 5th byte of the header indicates endianness: 01
   for little-endian, 02 for bigendian. Linux kernel, however, does not
   check this field before loading an ELF file. If an infected ELF file's 5-th 
   byte is set to 02, the antivirus declares the file to be clean but the ELF 
   file gets executed correctly.

   Affected products -
   AhnLab-V3 2011.01.18.00, BitDefender 7.2, CAT-QuickHeal 11.00, Command 5.2.11.5, 
   Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, 
   McAfee 5.400.0.1158, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7 

   CVE no - 
   CVE-2012-1463

--------
Credits
--------
Vulnerabilities found and advisory written by Suman Jana and Vitaly Shmatikov.

-----------
References
-----------
"Abusing File Processing in Malware Detectors for Fun and Profit" by Suman Jana and Vitaly Shmatikov
To appear in IEEE Symposium on Security and Privacy 2012
http://www.ieee-security.org/TC/SP2012/ 


  By Date           By Thread  

Current thread:
  • Evasion attacks expoliting file-parsing vulnerabilities in antivirus products sumanj (Mar 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault