Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability.

[<secure () symantec com>]

In-Reply-To: <20050310112622.4458.qmail () www securityfocus com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Date: 10 Mar 2005 11:26:22 -0000

> From: Bipin Gautam <visitbipin () hotmail com>
> To: bugtraq () securityfocus com
> Subject: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability.
>
>
>
> Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability. 
>
> Affected Product:
>
> AntiVir 6.30.0.5 
> AVG 718 
> Sybari (Antigen for M$ exchange) 7.5.1314
> Symantec 8.0
> McAfee 4442
> BitDefender 7.0 
>
>
> POC: http://www.geocities.com/visitbipin/happy-crc.zip
>
> Description:
> if you create a zip archive with invalid CRC checksum...... some AV
> skip the archive marking it as clean........ by this way, you can
> bypass antivirus gateways and slip in any attachment without
> scanning the archive. Moreover, these days.... software tools
> automatically repair a *broken* archive. 
- -----------snip------------
Symantec is aware of an issue posted to various security mailing
lists, in which the poster reported being able to bypass the initial
scan of multiple vendor antivirus products including Symantec
AntiVirus Corporate Edition version 8.0.  

The researcher included a link to the proof-of-concept code that he
used to validate his tests.  According to the posting, by creating a
malicious zip archive with an invalid CRC32 checksum, some antivirus
vendor's  products will not detect the malicious file, providing a
method to bypass the antivirus scan at the gateway and potentially
compromise targeted systems.

Symantec Response
Symantec engineers reviewed and tested the poster's proof-of-concept
code.  In all instances, Symantec was able to successfully decompress
the target file and scan the content.  However, the eicar test file
that the poster used in his proof-of-concept was an invalid test
file.  While Symantec products did successfully unzip the archive and
scan the enclosed file, we were not getting a valid detection on the
original enclosed eicar test file.  Once we recognized the problem
with the poster's version of the eicar test file, we recreated the
poster's proof-of-concept test with a valid eicar test file and
verified our products successfully detected the valid file.

Symantec engineers have determined that this issue does not impact
Symantec's antivirus scanning products.

Symantec Product Security Contact:
Symantec takes the security and proper functionality of its products
very seriously. As founding members of the Organization for Internet
Safety (OISafety), Symantec follows the principles of responsible
disclosure. Symantec also subscribes to the vulnerability guidelines
outlined by the National Infrastructure Advisory Council (NIAC).
Please contact secure () symantec com if you feel you have discovered a
potential or actual security issue with a Symantec product. A
Symantec Product Security team member will contact you regarding your
submission.
Symantec has developed a Product Vulnerability Handling Process
document outlining the process we follow in addressing suspected
vulnerabilities in our products. We support responsible disclosure of
all vulnerability information in a timely manner to protect Symantec
customers and the security of the Internet as a result of
vulnerability. This document is available from the location provided
below.
Symantec strongly recommends using encrypted email for reporting
vulnerability information to secure () symantec com. The Symantec
Product Security PGP key can be obtained from
http://www.symantec.com/security

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBQjIAcwLsezw0Sg5hEQIw6ACgu1OEITv8QFfgLBFpZCRZYAEAaJgAoJ10
MqkTSBAlLAHRns46h7Rm6yTB
=TR5a
-----END PGP SIGNATURE-----