FW: [Full-disclosure] [TZO-05-2009] Clamav 0.94 and below - Evasion/bypass

Randal, Phil prandal at herefordshire.gov.uk
Thu Apr 2 16:15:40 IST 2009 

Now's the time to update your clamav installations, folks (but please
see the thread about libclamavunrar_iface.so.6 first).

Cheers,

Phil
--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: prandal at herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.

-----Original Message-----
From: full-disclosure-bounces at lists.grok.org.uk
[mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Thierry
Zoller
Sent: 02 April 2009 15:28
To: NTBUGTRAQ; bugtraq; full-disclosure; info at circl.etat.lu;
vuln at secunia.com; cert at cert.org; nvd at nist.gov; cve at mitre.org
Subject: [Full-disclosure] [TZO-05-2009] Clamav 0.94 and below -
Evasion/bypass

______________________________________________________________________

  From the low-hanging-fruit-department - Generic ClamAV evasion
______________________________________________________________________

Release mode: Coordinated but limited disclosure.
Ref         : TZO-062009- ClamAV Evasion
WWW         :
http://blog.zoller.lu/2009/04/clamav-094-and-below-evasion-and-bypass.ht
ml
Vendor      : http://www.clamav.net &
              http://www.sourcefire.com/products/clamav
Security notification reaction rating : Good.
Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
- ClamAV below 0.95
  Includes MACOSX server,IBM Secure E-mail Express Solution for System
  and a lots of mail appliances.
  http://www.clamav.net/about/who-use-clamav/

About this advisory
-------------------
I used to not report bugs publicly where a a vendor - has not reacted to
my notifications - silently patched. I also did not publish low hanging
fruits as they make you look silly in the eyes of your peers.

Over the past years I had the chance to audit and test a lot of critical
infrastructures that, amongst other things relied on security products
(and on security notifications from vendors) and have witnessed various
ways of setting up your defenses that make some bugs critical that you'd
consider low at first glance, I came to the conclusion that most bugs
deserve disclosure. 

Please see "Common misconceptions" for more information.

I. Background
~~~~~~~~~~~~~
Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX,
designed especially for e-mail scanning on mail gateways. It provides a
number of utilities including a flexible and scalable multi-threaded
daemon, a command line scanner and advanced tool for automatic database
updates. The core of the package is an anti-virus engine available in a
form of shared library. 

II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by manipulating RAR archive in a
"certain way" that the Clamav engine cannot extract the content but the
end user is able to. Details are currently witheld (thanks to IBM).

III. Impact
~~~~~~~~~~~
The bug results in denying the engine the possibility to inspect code
within the RAR archive. While the impact might be low client- side (as
code is inspected upon extraction by the user) the impact for gateways
or AV infrastructure where the archive is not extracted is considerable.
There is no inspection of the content at all, prior disclosure therefore
referred to this class of bugs as Denial of service (you deny the
service of the scan engine for that file) however I choose to stick the
terms of evasion/bypass, being the primary impact of these types of
bugs.

PS. I am aware that there are hundreds of ways to bypass, that however
doesn't make it less of a problem. I am waiting for the day where the
first worm uses these techniques to stay undetected over a longer period
of time, as depending on the evasion a kernel update (engine
update) is necessary and sig updates do not suffice. Resulting in longer
window of exposure - at least for GW solutions. *Must make confiker
reference here*


IV. Common misconceptions about this "bug class"
--------------------------------------------------
- This has the same effect as adding a password to a ZIP file

The scanner denotes files that are passworded, an example is an E-mail
GW scanner that adds "Attachment not scanned" to the subject line or
otherwise indicates that the file was not scanned. This is not the case
with bypasses, in most cases the engine has not inspected the content at
all or has inspected it in a different way.
Additionally passworded archive files are easily filterable by a content
policy, allowing or denying them.

- This is only an issue with gateway products

Every environment where the archive is not actively extracted by the
end-user is affected. For example, fileservers, databases etc. pp. Over
the years I saw the strangest environments that were affected by this
type of "bug". My position is that customers deserve better security
than this.

- Behavioral analysis will catch this ?
No, the content is unreadable to the AV engine as such no inspection
whatsoever is possible.

- Evasions are the Cross Site scripting of File formats bugs Yes.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~

IBM was sent two POC files, an explanation and the disclosure terms
(http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html)

09/03/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date (23/03/2009)
                         
13/03/2009 : Clamav responds that the bug is reproducible and will be
             fixed in 0.95 to be released the 23/03/2009
             
             (IBM take note, it's that easy.)

23/05/2009 : Asked clamav if the release was made and if credit was 
             given

23/05/2009 : Clamav responds that the release was made, and that the
             credit was given in the changelog. (Tzo note: A post will 
             be probably be made at
http://www.clamav.net/category/security/
                                 
02/01/2009 : Release of this limited detail advisory

Final comments :
I would like to thank Tomasz Kojm (clamav) for the professional reaction
and AV-Test GMBH for their support.





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

More information about the MailScanner mailing list