exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

McAfee Generic Evasions

McAfee Generic Evasions
Posted May 1, 2009
Authored by Thierry Zoller

The McAfee parsing engine can be bypassed by a specially crafted and formatted RAR (Headflags and Packsize) or ZIP (Filelenght) archive.

tags | advisory
SHA-256 | ea6b4633d140cbe430fe0b6edb6bb33bbd4a99f3c81428950542a31c2a9d70f3

McAfee Generic Evasions

Change Mirror Download
________________________________________________________________________

From the low-hanging-fruit-department - Mcafee multiple generic evasions
________________________________________________________________________

Release mode: Coordinated but limited disclosure.
Ref : TZO-182009 - Mcafee multiple generic evasions
WWW : http://blog.zoller.lu/2009/04/mcafee-multiple-bypassesevasions-ziprar.html
Vendor : http://www.mcafee.com
Status : Patched
CVE : CVE-2009-1348 (provided by mcafee)
https://kc.mcafee.com/corporate/index?page=content&id=SB10001&actp=LIST_RECENT

Security notification reaction rating : very good
Notification to patch window : +-27 days (Eastern holidays in between)

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :
- McAfee VirusScan® Plus 2009
- McAfee Total Protection™ 2009
- McAfee Internet Security
- McAfee VirusScan USB
- McAfee VirusScan Enterprise
- McAfee VirusScan Enterprise Linux
- McAfee VirusScan Enterprise for SAP
- McAfee VirusScan Enterprise for Storage
- McAfee VirusScan Commandline
- Mcafee SecurityShield for Microsoft ISA Server
- Mcafee Security for Microsoft Sharepoint
- Mcafee Security for Email Servers
- McAfee Email Gateyway
- McAfee Total Protection for Endpoint
- McAfee Active Virus Defense
- McAfee Active VirusScan

It is unkown whether SaaS were affected (tough likely) :
- McAfee Email Security Service
- McAfee Total Protection Service Advanced


I. Background
~~~~~~~~~~~~~
Quote: "McAfee proactively secures systems and networks from known
and as yet undiscovered threats worldwide. Home users, businesses,
service providers, government agencies, and our partners all trust
our unmatched security expertise and have confidence in our
comprehensive and proven solutions to effectively block attacks
and prevent disruptions."


II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
RAR (Headflags and Packsize),ZIP (Filelenght) archive.

III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect
code within RAR and ZIP archives. There is no inspection of the content
at all and hence the impossibility to detect malicious code.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
04/04/2009 : Send proof of concept RAR I, description the terms under which
I cooperate and the planned disclosure date

06/04/2009 : Send proof of concept RAR II, description the terms under which
I cooperate and the planned disclosure date

06/04/2009 : Mcafee acknowledges receipt and reproduction of RAR I, ack
acknowledges receipt of RARII

10/04/2009 : Send proof of concept ZIP I, description the terms under which
I cooperate and the planned disclosure date

21/04/2009 : Mcafee provides CVE number CVE-2009-1348

28/04/2009 : Mcafee informs me that the patch might be released on the 29th
29/04/2009 : Mcafee confirms patch release and provides URL
https://kc.mcafee.com/corporate/index?page=content&id=SB10001&actp=LIST_RECENT

29/04/2009 : Ask for affected versions

29/04/2009 : Mcafee replies " This issue does affect all vs engine products, including
both gateway and endpoint"





Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close