Home page logo

fulldisclosure logo Full Disclosure mailing list archives

[G-SEC 49-2009] McAfee generic PDF detection bypass
From: Thierry Zoller <Thierry () Zoller lu>
Date: Tue, 27 Oct 2009 23:26:40 +0100


          McAfee multiple products - Generic PDF detection bypass

Cheap plug :
If you are interested in client side vulnerabilities visit HACK.LU 
starting tomorrow 28-30 Oct with :

* Bypassing the Perimeter: Client Side Exploitation - Nitesh Dhanjani, 
                                                      Billy K Rios
Talks :
* New advances in Office Malware analysis - Frank Boldewin
* PDF Penetration Document Format - Didier Stevens
* Ownage 2.0 - Saumil Shah (who else)
* Malicious PDF origamis strike back - Guillaume Delugré
                                       Frederic Raynal

Release mode  : Coordinated
Reference     : [GSEC-05-2009] - MCafee generic PDF bypass
WWW           : http://www.g-sec.lu/mcafee-pdf-bypass.html
Vendor        : http://www.mcafee.com
Status        : Patched
CVE           : none attributed yet
Credit        : https://kc.mcafee.com/corporate/index?page=content&id=SB10003
               (We disagree with the CVSS rating )
Discovered by : Thierry Zoller (G-SEC)

Affected products : 
All McAfee software that uses DATs including:
- McAfee GroupShield
- McAfee LinuxShield
- McAfee NetShield for NetWare
- McAfee PortalShield
- McAfee Total Protection Service (SaaS)
- McAfee Virex
- McAfee Total Protection™ 2009
- McAfee Internet Security
- McAfee VirusScan USB
- McAfee VirusScan Enterprise
- McAfee VirusScan Enterprise Linux
- McAfee VirusScan Enterprise for SAP
- McAfee VirusScan Enterprise for Storage
- McAfee VirusScan Commandline
- Mcafee SecurityShield for Microsoft ISA Server
- Mcafee Security for Microsoft Sharepoint
- Mcafee Security for Email Servers
- McAfee Email Gateyway
- McAfee Total Protection for Endpoint
- McAfee Active Virus Defense
- McAfee Active VirusScan

Patch availability :
Patches dsitributed through automatic updates

I. Background
Quote: "McAfee proactively secures systems and networks from known 
and as yet undiscovered threats worldwide. Home users, businesses, 
service providers, government agencies, and our partners all trust 
our unmatched security expertise and have confidence in our 
comprehensive and proven solutions to effectively block attacks
and prevent disruptions."

II. Description
Improper parsing of the PDF structure leads to evasion of detection of 
malicious PDF documents at scantime and runtime.
This has been tested with several malicious PDF files and represents
a generic evasion of all PDF signatures and heuristics.

General information about evasion/bypasses can be found at :

III. Impact
Known PDF exploits/malware may evade signature detection, 0day exploits
may evade heuristics.

IV. Disclosure timeline
01.06.2009 - Reported 
20.10.2009 - McAfee informed us that they published the advisory on their website
< waiting for others vendors to patch >
27.10.2009 - G-SEC releases this advisory

About G-SEC
G-SEC™  is  a  vendor independent luxemburgish led IT security consulting
group. More information available at : http://www.g-sec.lu/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • [G-SEC 49-2009] McAfee generic PDF detection bypass Thierry Zoller (Oct 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]