AVAST Generic Archive Bypass

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 273

________________________________________________________________________

From the low-hanging-fruit-department
Avast Generic Malformed Archive Bypass (ZIP GFlag ________________________________________________________________________

From the low-hanging-fruit-department
Avast Generic Malformed Archive Bypass (ZIP GFlag)
________________________________________________________________________

Release mode : Coordinated Disclosure
Ref : [TZO-23-2020] - AVAST Generic Archive Bypass (ZIP)
Vendor : AVAST
Status : Patched - version 12 and newer
CVE : CVE-2020-9399

Blog :
https://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
Twitter : https://twitter.com/thierryzoller
Dislosure Policy: https://caravelahq.com/b/policy/20949

Affected Products
=================
Avast Antivirus Pro Plus
Avast Antivirus Pro
Avast Antivirus fÃ¼r Linux

I. Background
=============
Avast is dedicated to creating a world that provides safety and privacy
for all, no matter who you are, where you are, or how you connect.
Avast is one of the largest security companies in the world using
next-gen technologies to fight cyber attacks in real time. We differ
from other next-gen companies in that we have an immense cloud-based
machine learning engine that receives a constant stream of data from our
hundreds of millions of users, which facilitates learning at
unprecedented speeds and makes our artificial intelligence engine
smarter and faster than anyone else’s.

II. Description
----------------------------
The parsing engine supports the ZIP archive format. The parsing engine
can be bypassed by specifically manipulating an ZIP Archve so that it
can be accessed by an end-user but not the Anti-Virus software. The AV
engine is unable to scan the container and gives the file a "clean"
rating.

I may release further details after all known vulnerable vendors have
patched their engines.

III. Impact
----------------------------
Impacts depends on the contextual use of the product and engine within
the organisation of a customer. Gateway Products (Email, HTTP Proxy etc)
may allow the file through unscanned and give it a clean bill of health.
Server side AV software will not be able to discover any code or sample
contained within this ISO file and it will not raise suspicion even if
you know exactly what you are looking for (Which is for example great to
hide your implants or Exfiltration/Pivot Server).

There is a lot more to be said about this bug class, so rather than bore
you with it in
this advisory I provide a link to my 2009 blog post
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

IV. Patch / Advisory
----------------------------
11.10.2019 - Submission
24.02.2020 - Confirmation by Avast that these have been patched.
"The fix was released in virus definitions 200114-0 (except for very old
program versions 5.x - 11.x where it hasn't been released yet).
So any program (version 12 and newer) with up-to-date virus definitions
has the updated unpacker."