CVE-2005-3499
CVSS7.5
发布时间 :2005-11-03 19:02:00
修订时间 :2009-04-08 00:37:23
NMCOPS    

[原文]Frisk F-Prot Antivirus allows remote attackers to bypass protection via a ZIP file with a version header greater than 15, which prevents F-Prot from decompressing and analyzing the file.


[CNNVD]F-Prot Antivirus ZIP文件版本扫描绕过漏洞(CNNVD-200511-110)

        F-Prot Antivirus是一款反病毒软件。
        Frisk F-Prot Antivirus可让远程攻击者通过使用版本标题大于15的ZIP文件绕过防护,这会阻止F-Prot解压缩和分析文件。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:frisk_software:f-prot_antivirus:::exchange
cpe:/a:frisk_software:f-prot_antivirus:::linux
cpe:/a:frisk_software:f-prot_antivirus:3.16c
cpe:/a:frisk_software:f-prot_antivirus:3.12d::bsd
cpe:/a:frisk_software:f-prot_antivirus:4.4.2::bsd
cpe:/a:frisk_software:f-prot_antivirus:::solaris
cpe:/a:frisk_software:f-prot_antivirus:::bsd
cpe:/a:frisk_software:f-prot_antivirus:3.12b::linux
cpe:/a:frisk_software:f-prot_antivirus:::win
cpe:/a:frisk_software:f-prot_antivirus:3.12d::linux
cpe:/a:frisk_software:f-prot_antivirus:4.4.2::linux

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3499
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3499
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-110
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/22967
(UNKNOWN)  XF  fprotantivirus-zip-bypass-protection(22967)
http://www.zoller.lu/research/fprot.htm
(UNKNOWN)  MISC  http://www.zoller.lu/research/fprot.htm
http://www.securityfocus.com/bid/15293
(UNKNOWN)  BID  15293
http://www.securityfocus.com/archive/1/archive/1/502370/100/0/threaded
(UNKNOWN)  BUGTRAQ  20090402 [TZO-07-2009] F-PROT ZIP Method evasion
http://www.securityfocus.com/archive/1/archive/1/415637/30/0/threaded
(UNKNOWN)  BUGTRAQ  20051103 [ TZO-012005 ] F-Prot/Frisk Anti Virus bypass - ZIP Version Header
http://www.osvdb.org/20865
(UNKNOWN)  OSVDB  20865
http://thierry.sniff-em.com/research/fprot.html
(UNKNOWN)  MISC  http://thierry.sniff-em.com/research/fprot.html
http://securitytracker.com/id?1015148
(UNKNOWN)  SECTRACK  1015148
http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0073.html
(UNKNOWN)  FULLDISC  20051102 [ TZO-012005 ] F-Prot/Frisk Anti Virus bypass - ZIP Version Header

- 漏洞信息

F-Prot Antivirus ZIP文件版本扫描绕过漏洞
高危 设计错误
2005-11-03 00:00:00 2009-04-08 00:00:00
远程  
        F-Prot Antivirus是一款反病毒软件。
        Frisk F-Prot Antivirus可让远程攻击者通过使用版本标题大于15的ZIP文件绕过防护,这会阻止F-Prot解压缩和分析文件。

- 公告与补丁

        暂无数据

- 漏洞信息 (F76303)

F-PROT ZIP Method Evasion (PacketStormID:F76303)
2009-04-02 00:00:00
Thierry Zoller  
advisory
CVE-2005-3499
[点击下载]

The parsing engine in F-PROT can be bypassed by manipulating the ZIP method field. It is as easy as opening a ZIP file in an editor and typing a number greater than 15 on your keyboard. This is a four year old vulnerability that they still have not patched.

______________________________________________________________________

  From the low-hanging-fruit-department - F-PROT ZIP method evasion 
______________________________________________________________________

Release mode: Coordinated.
Ref         : TZO-07-2009 Fprot ZIP Method Evasion
WWW         : http://blog.zoller.lu/
Vendor      : http://www.f-prot.com
Security notification reaction rating : Mediocre-Poor
Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

This bug was reported 4 years ago [1] to FRISK, the response at that
time has been that "a fix for this bug will be included in future 
versions of F-Prot Antivirus". Fast forward 4 years the same error 
still allow to bypass the engine.

[1] CVE-2005-3499 
http://www.zoller.lu/research/fprot.htm
http://web.nvd.nist.gov/view/vuln/detail?execution=e3s1

Considering this and the reaction from FRISK I am unsure as how 
serious FRISK is about the security of their clients.

Affected products : 
- All Fprot versions currently used, vendor supplies no patch for 
  current release. The vendor (Frisk) considers this problem to be 
  too low priority to patch in current release and notify clients. 
  To put this in perspective, rendering the Fprot scanning on GW 
  solutions completely useless (for certain archive types)
  is low priority for Frisk. 
  
  If you are a Frisk customer and concerned about security I would
  recommend calling support and ask for a patch. NB, if you are using
  FPROT localy and with ON access scans you are not affected.
  
Products (with impact details) :
- F-PROT AVES (High: complete bypass of engine)
- F-PROT Antivirus for Windows (unknown)
- F-PROT Antivirus for Windows on Mail Servers : (High: complete 
bypass of engine) 
- F-PROT Antivirus for Exchange (High: complete bypass of engine)
- F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass
  of engine)
- F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass
  of engine)
- F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers
(High: complete bypass of engine)
- F-PROT Milter - for example sendmail (High: complete bypass of engine)
- F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete 
  bypass of engine)
- F-Prot Antivirus for Linux x86 Workstations (unknown)

About this advisory
-------------------
I used to not report bugs publicly where a a vendor - has not reacted 
to my notifications - silently patched. I also did not publish
low hanging fruits as they make you look silly in the eyes of your
peers.

Over the past years I had the chance to audit and test a lot of critical 
infrastructures that (also) relied on products (and about security 
notification from vendors) and have witnessed various ways of setting 
up your defenses that make some bugs critical that you'd consider low, 
I came to the conclusion that most bugs deserve disclosure. 

Please see "Common misconceptions" for more information.

I. Background
~~~~~~~~~~~~~
FRISK Software International, established in 1993, is one of the 
world's leading companies in antivirus research and product 
development.
FRISK Software produces the hugely popular F-Prot Antivirus products 
range offering unrivalled heuristic detection capabilities. 
In addition to this, the F-Prot AVES managed online email security 
service filters away the nuisance of spam email as well as viruses, 
worms and other malware that increasingly clog up inboxes and 
threaten data security. 

II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by manipulating ZIP Method field. 
It is as easy as opening a ZIP file in an editor and type a number 
greater than 15 on your keyboard. Basically Fprot looks at the Method 
field that indicates what method was used to compress the archive 
and decides that it will not extract and inspect the data within.

III. Impact
~~~~~~~~~~~
The bug results in denying the engine the possibility to inspect
code within the ZIP archive. While the impact might be low client-
side (as code is inspected upon extraction by the user) the impact
for gateways or AV infrastructure where the archive is not extracted 
is considerable. There is no inspection of the content at all, prior 
disclosure therefore refered to this class of bugs as Denial of service 
(you deny the service of the scan engine for that file) however I 
choose to stick the terms of evasion/bypass, being the primary impact 
of these types of bugs.

PS. I am aware that there are hundreds of ways to bypass, that however
doesn't make it less of a problem. I am waiting for the day where the 
first worm uses these techniques to stay undetected over a longer 
period of time, as depending on the evasion a kernel update (engine 
update) is necessary and sig updates do not suffice. Resulting in 
longer window of exposure - at least for GW solutions. *Must make 
confiker reference here*


IV. Common misconceptions about this "bug class"
--------------------------------------------------
- This has the same effect as adding a password to a archive file

The scanner explicitely denotes files that are passworded, an example 
is an Gateway scanner that adds "Attachment not scanned" to the 
subject line or otherwise indicates that the file was not scanned. 
This is not the case with bypasses, in most cases the engine has not 
inspected the content at all or has inspected it in a different way.
Additional passworded archive files are easily filterable by a content
policy, allowing or denying them.

- This is only an issue with gateway products

Every environment where the archive is not actively extracted by 
the end-user is affected. For example, fileservers, databases
etc. pp. Over the years I saw the strangest environments that 
were affected by this type of "bug". My position is that customers
deserve better security than this.

- If this is exploited by a worm it will be fixed within minutes.
Some bypasses required modifications in the AV "kernel" and cannot be
fixed with a signature update. As such it would not only take longer
but for those customers that do no push binary updates immediately 
(or not at all) increase the window of exposure consistently.

- Behavioral analysis will catch this ?
No, the content is unreadable to the AV engine as such no inspection
whatsoever is possible.

- Evasions are the Cross Site scripting of File formats bugs
Yes.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~

23/03/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date (02/04/2009)
                         
26/03/2009 : Technical Support responds 
             "The fix for this was minor, with virtually no potential 
             for side effects - so it was added to the current 
             development branch for engine version 4.5 - being 
             low-priority, it will not be added to the 4.4 branch.

             In other words, the fix will be included in the next 
             engine released."

26/03/2009 : Replied, that
             - the bug is 4 years old
             - risk assesement is to be done by the client using 
             the engine one way or the other
             - asked for location of advisory or credit
             
             No reply.
             
27/03/2009 : Resend.         
             
             No reply.             
            
No further coordination attempts will be done with FRISK should they not 
revisit there position on security notification and response practices.



    

- 漏洞信息

20865
Frisk F-PROT Anti-Virus Crafted ZIP Version Header Scanning Bypass
Remote / Network Access Infrastructure
Loss of Integrity

- 漏洞描述

Frisk Software F-PROT Antivirus on numerous platforms contains a flaw that may allow a malicious user to bypass virus filter restrictions. The issue is triggered when a version value of more than 15 is encoded in the header of a ZIP, in which case the filter engine fails to uncompress the ZIP file. It is possible that the flaw may allow an attacker to circumvent virus filter restrictions, resulting in a loss of integrity.

- 时间线

2005-11-03 2005-10-30
Unknow Unknow

- 解决方案

Upgrade to the latest version of the software, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

F-Prot Antivirus ZIP Attachment Version Scan Evasion Vulnerability
Design Error 15293
Yes No
2005-11-03 12:00:00 2009-04-02 07:26:00
Thierry Zoller <Thierry@sniff-em.com> is credited with the discovery of this vulnerability.

- 受影响的程序版本

Sybari Antigen for Exchange 7.5.1314
Softwin BitDefender 7.0
McAfee VirusScan 4.5.1
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95 SR2
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
McAfee VirusScan 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
McAfee VirusScan 4.0.3
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
McAfee VirusScan 4.0
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
H+BEDV AntiVir Windows Workstation 6.30 .0.5
Frisk Software F-Prot Antivirus for Windows
Frisk Software F-Prot Antivirus for Solaris
Frisk Software F-Prot Antivirus for Linux Workstation 4.6.8
Frisk Software F-Prot Antivirus for Linux and BSD 4.4.2
Frisk Software F-Prot Antivirus for Linux and BSD 3.12 d
Frisk Software F-Prot Antivirus for Linux and BSD 3.12 b
Frisk Software F-Prot Antivirus for Linux
Frisk Software F-Prot Antivirus for Exchange
Frisk Software F-Prot Antivirus for BSD
Frisk Software F-Prot Antivirus Engine 4.4.4
Frisk Software F-Prot Antivirus Engine 0
Frisk Software F-Prot Antivirus 6.2.1 .4252
Frisk Software F-Prot Antivirus 6.0.9 .0
Frisk Software F-Prot Antivirus 4.6.7
Frisk Software F-Prot Antivirus 4.6.6
Frisk Software F-Prot Antivirus 3.16 c
Frisk Software F-Prot Antivirus 3.16f
AVG AVG Anti-Virus 7.1.308

- 漏洞讨论

F-prot Antivirus is prone to a scan-evasion vulnerability when dealing with ZIP archive attachments. This issue stems from a design error in the application, which flags certain ZIP files as harmless when it can't decompress them.

An attacker can exploit this vulnerability by crafting a specially designed ZIP file containing malicious code that will bypass the antivirus software.

- 漏洞利用

Attackers can use readily available tools to exploit this issue.

- 解决方案

Reports indicate that the vendor will be addressing this issue in an upcoming version, but Symantec has not confirmed this.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站