full-disclosure-uk June 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] [TZO-32-2009] Norman gener

[Full-disclosure] [TZO-32-2009] Norman generic bypass (RAR)

From: Thierry Zoller <Thierry_at_nospam>
Date: Sun Jun 14 2009 - 18:50:55 GMT
To: bugtraq <bugtraq@securityfocus.com>, info@circl.etat.lu, vuln@secunia.com, <cert@cert.org>, <nvd@nist.gov>, <cve@mitre.org>, <full-disclosure@lists.grok.org.uk>

From the low-hanging-fruit-department Norman generic evasion (RAR) ________________________________________________________________________

CHEAP Plug :


You are invited to participate in HACK.LU 2009, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu CFP is open, sponsorship is still possible and warmly welcomed
Release mode: Coordinated but limited disclosure. Ref : [TZO-32-2009] - Norman generic evasion (RAR) WWW : http://blog.zoller.lu/2009/06/advisory-norman-generic-evasion-rar.html Vendor : http://www.norman.com Status : Patched (with decompression engine version 5.99.07) CVE : none provided Credit : http://www.norman.com/support/security_bulletins/69333/en OSVDB vendor entry: Norman is not listed as a vendor in OSVDB Security notification reaction rating : ok Notification to patch window : 77 days

Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :
The vulnerabilities have been fixed in Norman's compression library (NCL) 5.99.07, relased on Norman's Internet update servers as an automatic update 03 June 2009. This solves the vulnerability for all updated Norman's products except for Norman Network Protection

  • Norman Virus Control single user and corporate versions
  • Norman Internet Control
  • Norman Virus Control E-mail plugins
  • Norman Endpoint Protection
  • Norman Secuirty Suite
  • Norman Network Protection
  • Norman Virus Control for Lotus Domino
  • Norman Virus Control for Exchange
  • Norman Virus Control for Linux
  • Norman Virus Control for Novell Netware (FireBreak)
  • Norman Email Protection
  • Norman Email Protection Appliance
  • Norman Online Protection
  • Norman Virus Control for AMaViS
  • Norman Virus Control for MIMEsweeper
  • Third party vendors that use the Engine

 OEM vendors known to use the Norman engine :

  • eeye I. Background
    Quote: "Norman ASA is a world leading company within the field of data security, internet protection and analysis tools. Through its SandBox technology Norman offers a unique and proactive protection unlike any other competitor"

II. Description


A general description of the impact and nature of AV Bypasses/evasions can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within the RAR archive. There is no inspection of the content at all.

III. Impact


The bug results in denying the engine the possibility to inspect code within the RAR archives. There is no inspection of content at all.

A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

IV. Disclosure time-line


DD/MM/YYYY
05/03/2009 : Send proof of concept (RAR Size), description the terms under which I cooperate and the planned disclosure date. No reply 13/03/2009 : Re-Send proof of concept (RAR Size), indicating this is the last attempt to responsible disclose.

14/03/2009 : Norman acknowledges receipt

23/03/2009 : Send proof of concept (RAR Method)

23/03/2009 : Asking for an update for the RAR Size sample

02/04/2009 : Norman confirms reproduction of RAR Method PoC and that they will release the patch a.s.a.p 02/04/2009 : Norman promises to get back with release dates/advisory information as soon as they have some firm dates 06/04/2009 : Norman confirms reproduction of RAR Headflags PoC 20/04/2009 : Norman confirms reproduction of the CAB PoC and that all reported vulnerabilities have been patched internaly. 22/04/2009 : Ask for a list of affected versions/products no answer 27/04/2009 : Norman sends in the patched decompression DLL for me to if the patch is correct. 28/04/2009 : Send TAR PoC file no acknowledgement

07/05/2009 : Ask for an update to all reported bugs   

             no reply

08/05/2009 : Inform Norman that as I no longer receive any replies I assume that the patch is deployed and set that the final disclosure date to the 1.06.2009

09/05/2009 : Norman states they probably can't make the 1/06/2009

09/05/2009 : Propose to postpone disclosure upon request

28/05/2009 : Ask for an update as 01.06.2009 still is set

30/05/2009 : Norman asks to postpone the disclosure by a week as they

             have to finish Q&A

09/06/2009 : Ask norman whether the Q&A has been finished

09/06/2009 : Norman replies the patches where deployed on the 3rd of June.

10/06/2009 : Release of this advisory.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

   © Copyright 2012 Guardian Digital, Inc. All Rights Reserved.