Vigil@nce: Trend Micro, bypassing via RAR, CAB and ZIP
May 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can create a RAR, CAB or ZIP archive containing a virus which is not detected by Trend Micro.
Consequences: data flow
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 3
Creation date: 30/04/2009
Trend Micro Internet Security
Trend Micro InterScan Messaging Security Suite
Trend Micro InterScan Web Security Suite
Trend Micro ScanMail
Trend Micro ServerProtect
DESCRIPTION OF THE VULNERABILITY
Trend Micro products detect viruses contained in RAR, CAB and ZIP archives.
However, an attacker can create a slightly malformed archive, which can still be opened by Unrar/Unzip tools, but which cannot be opened by the antivirus.
Depending on Trend Micro product, these archives are handled in three ways:
OfficeScan and ServerProtect are vulnerable when Unrar/Unzip extracts the file on the desktop computer. These products are thus vulnerable when installed on a scan server. [grav:2/4]
InterScan Web Security Suite and InterScan Messaging Security quarantine the file by default. These products are vulnerable if the administrator changed the default configuration. [grav:2/4]
ScanMail does not indicate that the unscanned archive potentially contains a virus. This product is vulnerable in its default configuration. [grav:2/4]
An attacker can therefore create a RAR, CAB or ZIP archive containing a virus which is not detected by Trend Micro.
Identifiers: BID-34763, TZO-17-2009, VIGILANCE-VUL-8683