|
________________________________________________________________________
From the low-hanging-fruit-department
Norman generic evasion (RAR)
________________________________________________________________________
CHEAP Plug :
************
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed
************
Release mode: Coordinated but limited disclosure.
Ref : [TZO-32-2009] - Norman generic evasion (RAR)
WWW : http://blog.zoller.lu/2009/06/advisory-norman-generic-evasion-rar.html
Vendor : http://www.norman.com
Status : Patched (with decompression engine version 5.99.07)
CVE : none provided
Credit : http://www.norman.com/support/security_bulletins/69333/en
OSVDB vendor entry: Norman is not listed as a vendor in OSVDB
Security notification reaction rating : ok
Notification to patch window : 77 days
Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products :
The vulnerabilities have been fixed in Norman's compression library (NCL) 5.99.07,
relased on Norman's Internet update servers as an automatic update 03 June 2009.
This solves the vulnerability for all updated Norman's products except for
Norman Network Protection
- Norman Virus Control single user and corporate versions
- Norman Internet Control
- Norman Virus Control E-mail plugins
- Norman Endpoint Protection
- Norman Secuirty Suite
- Norman Network Protection
- Norman Virus Control for Lotus Domino
- Norman Virus Control for Exchange
- Norman Virus Control for Linux
- Norman Virus Control for Novell Netware (FireBreak)
- Norman Email Protection
- Norman Email Protection Appliance
- Norman Online Protection
- Norman Virus Control for AMaViS
- Norman Virus Control for MIMEsweeper
- Third party vendors that use the Engine
OEM vendors known to use the Norman engine :
- eeye
I. Background
~~~~~~~~~~~~~
Quote: "Norman ASA is a world leading company within the field of data security,
internet protection and analysis tools. Through its SandBox technology
Norman offers a unique and proactive protection unlike any other
competitor"
II. Description
~~~~~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
The bug results in denying the engine the possibility to inspect
code within the RAR archive. There is no inspection of the content
at all.
III. Impact
~~~~~~~~~~~
The bug results in denying the engine the possibility to inspect
code within the RAR archives. There is no inspection of content
at all.
A general description of the impact and nature of AV Bypasses/evasions
can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
IV. Disclosure time-line
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
05/03/2009 : Send proof of concept (RAR Size), description the terms under which
I cooperate and the planned disclosure date.
No reply
13/03/2009 : Re-Send proof of concept (RAR Size), indicating this is the last attempt
to responsible disclose.
14/03/2009 : Norman acknowledges receipt
23/03/2009 : Send proof of concept (RAR Method)
23/03/2009 : Asking for an update for the RAR Size sample
02/04/2009 : Norman confirms reproduction of RAR Method PoC and that they will release
the patch a.s.a.p
02/04/2009 : Norman promises to get back with release dates/advisory information as soon
as they have some firm dates
06/04/2009 : Norman confirms reproduction of RAR Headflags PoC
20/04/2009 : Norman confirms reproduction of the CAB PoC and that all reported
vulnerabilities have been patched internaly.
22/04/2009 : Ask for a list of affected versions/products
no answer
27/04/2009 : Norman sends in the patched decompression DLL for me to if the patch
is correct.
28/04/2009 : Send TAR PoC file
no acknowledgement
07/05/2009 : Ask for an update to all reported bugs
no reply
08/05/2009 : Inform Norman that as I no longer receive any replies I assume that
the patch is deployed and set that the final disclosure date to
the 1.06.2009
09/05/2009 : Norman states they probably can't make the 1/06/2009
09/05/2009 : Propose to postpone disclosure upon request
28/05/2009 : Ask for an update as 01.06.2009 still is set
30/05/2009 : Norman asks to postpone the disclosure by a week as they
have to finish Q&A
09/06/2009 : Ask norman whether the Q&A has been finished
09/06/2009 : Norman replies the patches where deployed on the 3rd
of June.
10/06/2009 : Release of this advisory.