[Full-disclosure] [TZO-24-2009] Panda generic evasion (CAB)

From: Thierry Zoller <Thierry_at_nospam>
Date: Fri May 22 2009 - 13:55:40 GMT
To: bugtraq <bugtraq@securityfocus.com>, full-disclosure <full-disclosure@lists.grok.org.uk>, <info@circl.etat.lu>, <vuln@secunia.com>, <cert@cert.org>, <nvd@nist.gov>, <cve@mitre.org>

From the low-hanging-fruit-department Panda generic evasion (CAB) ________________________________________________________________________

Why are there two panda advisories instead of one ? See http://blog.zoller.lu/2009/05/100th-post-what-about-big-guys.html

CHEAP Plug :

You are invited to participate in HACK.LU 2009, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu CFP is open, sponsorship is still possible and warmly welcomed!

Release mode: Coordinated but limited disclosure. Ref : TZO-24-2009 - Panda generic evasion (CAB) WWW : http://blog.zoller.lu/2009/04/why-are-there-two-panda-advisories.html Vendor : http://www.pandasecurity.com Status : Patched (Through hotfix and automatic update) CVE : none provided
OSVDB listing: No [1]
Credit : http://www.pandasecurity.com/homeusers/support/card?id=80060&idIdioma=2 http://www.pandasecurity.com/homeusers/support/card?id=60039&idIdioma=2 http://www.pandasecurity.com/homeusers/support/card?id=70025&idIdioma=2

Security notification reaction rating : Good Notification to patch window : +-32 days

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :
- Global Protection 2009 (Hotifx)

Internet Security 2009 (Hotifx)
Panda Antivirus Pro 2009 (Hotfix)
Panda Security for Business with Exchange
Panda Security for Business
Panda Security for Enterprise
Panda GateDefender Integra (patched through automatic updates)
Panda GateDefender Performa (patched through automatic updates)
Panda AdminSecure (patched thorugh automatic updates)

SaaS
- Panda Managed Office Protection

TrustLayer Mail Quote : "What virus protection guarantees does TrustLayer offer? With respect to the antivirus filtering service, TrustLayer offers a 100% virus-free contractual guarantee." I. Background
Quote: "Panda Security is one of the world's leading creators and developers of technologies, products and services for keeping clients' IT resources free from viruses and other computer threats at the lowest possible Total Cost of Ownership."

II. Description

The parsing engine can be bypassed by a specially crafted CAB archive.

III. Impact

A general description of the impact and nature of AV Bypasses/evasions can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within CAB archives. There is no inspection of the content at all and hence the impossibility to detect malicious code.

IV. Disclosure timeline

DD/MM/YYYY
13/04/2009 : Send proof of concept CAB, description the terms under which I cooperate and the planned disclosure date 13/04/2009 : Panda acks receipt and starts investigating 15/04/2009 : Panda denies DoS and bypass condition and considers the bug a reporting issue as a MAX Size rule blocks the sample. 16/04/2009 : Ask if the Gatedefender product ranges, detects, flags or blocks the POC file. 17/04/2009 : Provide a new POC file to Panda that aims at evading the Max Size rule and detection.

17/04/2009 : Panda acks receipt and will investigate.

20/04/2009 : Inform Panda that I sent the wrong POC on the 17/04/2009

and attached the correct one.

28/04/2009 : Ping Panda for updates

28/04/2009 : Panda states that they are planning the patch timeline

and will inform me asap.

21/05/2009 : Panda informs me of the release of hotfixes and affected Products.

22/05/2009 : Ask for clarification on affected products 22/05/2009 : Release of this advisory.

[1]
Panda is invited to leave their security contact e-mail address at http://osvdb.org/vendor/1/Panda%20Software .

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

This message: [ Message body ]
Next message: Thierry Zoller: "[Full-disclosure] [TZO-25-2009] Panda generic evasion (TAR)"
Previous message: Brigette DéFaveur: "[Full-disclosure] OWASP LiveCD Vulnerabilities"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]