Vigil@nce - Symantec Antivirus: bypassing via CAB, CHM, ELF, EXE, Office, RAR, TAR, ZIP
April 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can create an archive or a program containing a virus,
which is not detected by Symantec Antivirus.
Severity: 2/4
Creation date: 21/03/2012
IMPACTED PRODUCTS
– Symantec Antivirus
– Symantec Norton AntiVirus
DESCRIPTION OF THE VULNERABILITY
Tools extracting archives (TAR, ZIP, etc.) accept to extract
archives which are slightly malformed. Systems also accept to
execute programs (ELF) which are slightly malformed. However,
Symantec Antivirus does not detect viruses contained in these
archives/programs.
A TAR archive containing "MSCF" as its first 4 bytes bypasses the
detection. [severity:1/4; BID-52575, CVE-2012-1421]
A TAR archive containing "\50\4B\03\04" as its first 4 bytes
bypasses the detection. [severity:1/4; BID-52580, CVE-2012-1425]
A RAR archive containing "MZ" as its first 2 bytes bypasses the
detection. [severity:1/4; BID-52612, CVE-2012-1443]
An ELF program containing a large "encoding" field bypasses the
detection. [severity:2/4; BID-52600, CVE-2012-1446]
A ZIP archive starting by TAR data bypasses the detection.
[severity:1/4; BID-52608, CVE-2012-1456]
A TAR archive with a large size bypasses the detection.
[severity:1/4; BID-52610, CVE-2012-1457]
A TAR archive with a header containing a large value bypasses the
detection. [severity:1/4; BID-52623, CVE-2012-1459]
A TAR+GZ archive containing two streams bypasses the detection.
[severity:1/4; BID-52626, CVE-2012-1461]
A ZIP archive starting by 1024 random bytes bypasses the
detection. [severity:1/4; BID-52613, CVE-2012-1462]
An attacker can therefore create an archive containing a virus
which is not detected by the antivirus, but which is extracted by
extraction tools. The virus is then detected once it has been
extracted on victim’s computer. An attacker can also create a
program, containing a virus which is not detected by the
antivirus, but which can be run by the system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN