Thread-topic: Multiple Vendor Anti-Virus Software and Snort's BO pre-processor exploit
> Subject: Full-Disclosure Digest, Vol 8, Issue 44
> ------------------------------
>
> Message: 13
> Date: Tue, 25 Oct 2005 05:07:51 +0200
> From: "Andrey Bayora" <andrey@xxxxxxxxxxxxxxx>
> Subject: [Full-disclosure] Multiple Vendor Anti-Virus Software
> Detection Evasion Vulnerability through forged magic byte
> To: <full-disclosure@xxxxxxxxxxxxxxxxx>
> Cc: bugtraq@xxxxxxxxxxxxxxxxx
> Message-ID: <00f101c5d911$4bc68520$0501a8c0@home>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Multiple Vendor Anti-Virus Software Detection Evasion
> Vulnerability through
> forged magic byte.
>
>
>
> AUTHOR: Andrey Bayora (www.securityelf.org)
>
>
>
> For more details, screenshots and examples please read my
> article "The Magic
> of magic byte" at www.securityelf.org . In addition, you will
> find a sample
> "triple headed" program which has 3 different 'execution
> entry points',
> depending on the extension of the file (exe, html or eml) -
> just change the
> extension and the SAME file will be executed by (at least)
> THREE DIFFERENT
> programs! (thanks to contributing author Wayne Langlois from
> www.diamondcs.com.au).
>
> DATE: October 25, 2005
>
>
>
> VULNERABLE vendors and software (tested):
>
>
>
> 1. ArcaVir 2005 (engine 2005-06-03,vir def 2005-06-27, scanner ver
> 2005-03-06, package ver 2005-06-21)
>
> 2. AVG 7 (updates 24 June, ver.7.0.323, virus base 267.8.0/27)
>
> 3. eTrust CA (ver 7.0.1.4, engine 11.9.1, vir sig. 9229)
>
> 4. Dr.Web (v.4.32b, update 27.06.2005)
>
> 5. F-Prot (ver. 3.16c, update 6/24/2005)
>
> 6. Ikarus (latest demo version for DOS)
>
> 7. Kaspersky (update 24 June, ver. 5.0.372)
>
> 8. McAfee Internet Security Suite 7.1.5 (updates 25 June, ver 9.1.08,
> engine 4.4.00, dat 4.0.4519 6/22/2005)
>
> 9. McAfee Corporate (updates 25 June, ver. 8.0.0 patch 10,
> vir def 4521,
> engine 4400)
>
> 10. Norman ( ver 5.81, engine 5.83.02, update 2005/06/23)
>
> 11. TrendMicro PC-Cillin 2005 (ver 12.0.1244, engine
> 7.510.1002, pattern
> 2.701.00)
>
> 12. TrendMicro OfficeScan (ver7.0, engine 7.510.1002, vir
> pattern 2.701.00
> 6/23/2005)
>
> 13. Panda Titanium 2005 (updates 24 June, ver 4.02.01)
>
> 14. UNA - Ukrainian National Antivirus (ver. 1.83.2.16 kernel v.265)
>
> 15. Sophos 3.91 (engine 2.28.4, virData 3.91)
>
>
>
> IMPORTANT NOTE:
>
> Similar vulnerability may exist in many other
> antivirus\anti-spyware desktop
> and gateway products. In addition, various "file filter"
> solutions may be
> affected as well.
>
>
>
> NOT VULNERABLE vendors and software (tested):
>
>
>
> 1. F-Secure (updates 24 June, ver 5.56 b.10450)
>
> 2. Avast (ver. 4.6.655, vir databas 0525-5 06/25/2005)
>
> 3. BitDefender (ver. 8.0.200, update 6/24/2005, engine 7.01934)
>
> 4. ClamWin (ver. 0.86.1, upd 24 June 2005)
>
> 5. NOD32 (updates 24 June, ver 2.50.25, vir database 1.1152)
>
> 6. Symantec Corporate (ver 10.0.0.359, engine 103.0.2.7)
>
> 7. Norton Internet Security 2005 (ver 11.5.6.14)
>
> 8. VBA32 (ver 3.10.4, updates 27.06.2005)
>
> 9. HBEDV Antivir Personal (ver 6.31.00.01, engine 6.31.0.7, vir def
> 6.31.0.109 6/24/2005)
>
> 10. Sophos 5 (ver. 5.0.2, vir def 3.93, upd 6/30/2005)
>
> 11. Sophos 3.95 (engine 2.30.4)
>
>
>
> SEVERITY: critical
>
>
>
> DESCRIPTION:
>
>
>
> The problem exists in the scanning engine - in the routine
> that determines
> the file type. If some file types (file types tested are
> .BAT, .HTML and
> .EML) changed to have the MAGIC BYTE of the EXE files (MZ) at
> the beginning,
> then many antivirus programs will be unable to detect the
> malicious file. It
> will break the normal flow of the antivirus scanning and many
> existent and
> future viruses will be undetected.
>
>
>
> NOTE: In my test, I used the EXE headers (MZ), but it is
> possible to use
> other headers (magic byte) that will lead to the same effect.
>
>
>
> ANALYSIS:
>
>
>
> Some file types like .bat, .html and .eml can be properly
> executed even if
> they have some "unrelated" beginning. For example, in the case of .BAT
> files - it is possible to prepend some "junk" data at the
> beginning of the
> file without altering correct execution of the batch file. In
> my tests, I
> used the calc.exe headers (first 120 bytes - middle of the
> dosstub section)
> to change 5 different files of existing viruses. In addition,
> the simplest
> test of this vulnerability is to prepend only the magic byte
> (MZ) to the
> existing malicious file and check if this file is detected by
> antivirus
> program.
>
>
>
> NOTE, that this is NOT the case where the change of existing
> virus file
> resulted in the "broken" detection signature (see details and
> the test logic
> in "The Magic of magic byte" article at www.securityelf.org).
>
>
>
> WORKAROUND:
>
> I did not found any effective one besides of patching the
> vulnerable engine.
>
>
>
> CREDITS:
>
> The idea for this vulnerability came during discussions from
> Wayne Langlois
> at diamondcs.com.au, who hinted that JPEGs could probably be
> exploited in
> this way.
>
>
>
> TIME LINE:
>
>
>
> July 13, 2005 - Initial vendor notification
>
> July 16, 2005 - Second vendor notification
>
> .....Waiting.....Waiting....
>
> October 24, 2005 - Public disclosure (uncoordinated)
>
>
>
>
> ------------------------------
>
> Message: 14
> Date: Tue, 25 Oct 2005 15:09:08 +0700
> From: rd <rd@xxxxxxx>
> Subject: [Full-disclosure] Snort's BO pre-processor exploit
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Message-ID: <435DE824.1070700@xxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi,
>
> Just wanna point out a small exploit release for a remotely
> vulnerability in Snort's Back Orifice pre-processor found by
> ISS recently.
>
>
>
> Have fun,
>
> --rd/thc
>
>
>
>
