Vigil@nce: McAfee AV, bypassing via RAR and ZIP
May 2009 by Vigil@nce
An attacker can create a RAR or ZIP archive containing a virus
which is not detected by McAfee products.
– Severity: 2/4
– Consequences: data flow
– Provenance: document
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Number of vulnerabilities in this bulletin: 3
– Creation date: 04/05/2009
IMPACTED PRODUCTS
– McAfee VirusScan
DESCRIPTION OF THE VULNERABILITY
McAfee products detect viruses contained in RAR and ZIP archives.
However, an attacker can create a slightly malformed archive,
which can still be opened by Unrar/Unzip tools, but which cannot
be opened by the antivirus.
Three malformed archives can be used.
An attacker can use a malformed Headflags field in a RAR archive
in order to bypass the antivirus. [grav:2/4]
An attacker can use a malformed Packsize field in a RAR archive in
order to bypass the antivirus. [grav:2/4]
An attacker can use a malformed Filelength field in a ZIP archive
in order to bypass the antivirus. [grav:2/4]
An attacker can therefore create a RAR or ZIP archive containing a
virus which is not detected by McAfee.
CHARACTERISTICS
– Identifiers: BID-34780, CVE-2009-1348, TZO-18-2009,
VIGILANCE-VUL-8686
– Url: http://vigilance.fr/vulnerability/McAfee-AV-bypassing-via-RAR-and-ZIP-8686