Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

De la Théorie à la pratique





















Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce - F-Secure Anti-Virus: bypassing via ELF, EXE, RAR, TAR

April 2012 by Vigil@nce

This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

An attacker can create an archive or a program containing a virus, which is not detected by F-Secure Anti-Virus.

Severity: 2/4

Creation date: 21/03/2012

IMPACTED PRODUCTS

- F-Secure Anti-Virus

DESCRIPTION OF THE VULNERABILITY

Tools extracting archives (RAR, TAR, etc.) accept to extract archives which are slightly malformed. Systems also accept to execute programs (ELF, EXE) which are slightly malformed. However, F-Secure Anti-Virus does not detect viruses contained in these archives/programs.

An ELF program containing "ustar" at offset 257 bypasses the detection. [severity:2/4; BID-52581, CVE-2012-1429]

An ELF program containing "\19\04\00\10" at offset 8 bypasses the detection. [severity:2/4; BID-52589, CVE-2012-1430]

An ELF program containing "\4a\46\49\46" at offset 6 bypasses the detection. [severity:2/4; BID-52591, CVE-2012-1431]

An EXE program containing a large "class" field bypasses the detection. [severity:2/4; BID-52598, CVE-2012-1442]

A RAR archive containing "MZ" as its first 2 bytes bypasses the detection. [severity:1/4; BID-52612, CVE-2012-1443]

A TAR archive with a header containing a large value bypasses the detection. [severity:1/4; BID-52623, CVE-2012-1459]

A TAR+GZ archive containing two streams bypasses the detection. [severity:1/4; BID-52626, CVE-2012-1461]

An ELF program with a changed 5th byte bypasses the detection. [severity:2/4; BID-52614, CVE-2012-1463]

An attacker can therefore create an archive containing a virus which is not detected by the antivirus, but which is extracted by extraction tools. The virus is then detected once it has been extracted on victim’s computer. An attacker can also create a program, containing a virus which is not detected by the antivirus, but which can be run by the system.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/F...




See previous articles

    

See next articles