[TZO-01-2020] AVIRA Generic Malformed Container bypass (ISO)
10 years ago I took a look at ways to evade AV/DLP Engine detection by using various techniques and released a metric ton of Advisories. 10 years later after multiple CISO type roles I wanted to deep dive again and see how far (or not) the AV industry has reacted to this class of vulnerabilities.
Release mode : Silent Patch by Avira – Coordinated otherwise
Ref : [TZO-01-2019] – AVIRA Generic AV Bypass
Vendor : AVIRA
Status : Patched (AV Engine above 8.3.54.138)
CVE : none provided, silent patch
Blog : https://blog.zoller.lu
Vulnerability Dislosure Policy: https://caravelahq.com/b/policy/20949
Introduction
============
10 years ago I took a look at ways to evade AV/DLP Engine detection by using various techniques and released a metric ton of Advisories. 10 years later after multiple CISO type roles I wanted to deep dive again and see how far (or not) the AV industry has reacted to this class of vulnerabilities.
These types of evasions are now actively being used in offensive operations [1]. To my surprise with a few exceptions most AV Vendors haven’t, in some cases I found the very same vulnerabilities that were patched and disclosed years ago.
Worse than that is the fact that some vendors that were very collaborative in 2008/2009 have now started to ignore submissions (until I threaten disclosure) or are trying to argue that generically evading AV detection is not a vulnerability.
A lot of exchanges took place on this matter, for instance one vendor argued that this could not be called a vulnerability because it would not impact Integrity, Availability or Confidentiality so it can’t possible be a vulnerability.
Even more bothering to me is how the bu bounty platform have created a distorted Reporter/Vendor relationship and mostly are executed to the detriment of the customers.I am collecting my experiences and will write a blog post about this phenomenon.
There will by many more advisories, hoping that I can finally eradicate this bug class and I don’t have to come back to this 10 years from now again.
[1] https://www.bleepingcomputer.com/news/security/specially-crafted-zip-files-used-to-bypass-secure-email-gateways/
https://www.techradar.com/news/zip-files-are-being-used-to-bypass-security-gateways
Affected Products
=================
AV Engine below 8.3.54.138
All Avira products :
– Avira Antivirus Server
– Avira Antivirus for Endpoint
– Avira Antivirus for Small Business
– Avira Exchange Security (Gateway)
– Avira Internet Security Suite for Windows
– Avira Prime
– Avira Free Security Suite for Windows
– Cross Platform Anti-malware SDK
Attention:
Avira does not patch or update their very popular command line scanner that is still available for download on their website. Since Avira does not release and advisory their customers are none
the wiser.
Avira licenses it’s engine to many OEM Partners. The OEM Partners that use the Avira Engine may be vulnerable or not. I would advise that you reach out to the vendors listed below to know whether you are affected or not. OEM Partners
can reach out to me to retreive the POC in order to test.
AVIRA OEM Partners:
– F-Secure
– Sophos
– Barracude
– Alibaba Cloud Security
– Check Point
– CUJO AI
– TP-Link
– FujiSoft
– AWS
– Rohde and Schwarz
– Careerbuilder
– Huawei
– Dracoon
– Total Availability
– FixMeStick
– APPVISORY
– Tabidus
– Cyren
Source :
https://oem.avira.com/en/partnership/our-partners
I. Background
—————————-
Quote: «We protect people—like you—across all devices, both directly and via our OEM partnerships.We provide a wide variety of best-in-class solutions to enhance your protection, performance,
and online privacy—ranging from antivirus to VPN and cleanup technologies.
A server security should get special attention, as a single employee might store a malicious file on the network and instantly cause a cascading damage across the entire organization.
With Avira’s solutions for server security you can prevent such scenarios by protecting your network, data, and web traffic. »
Avira has the Trust Seal or the
http://www.teletrust.de/itsmig/
II. Description
—————————-
The parsing engine supports the ISO container format. The parsing engine can be bypassed by specifically manipulating an ISO container so that it can be accessed by an end-user but
not the Anti-Virus software. The AV engine is unable to scan the container and gives the file a «clean» rating.
I may release the details after all known vulnerable vendors have patched their engines.
III. Impact
—————————-
Impacts depends on the contextual use of the product and engine within the organisation
of a customer. Gateway Products (Email, HTTP Proxy etc) may allow the file through unscanned
and give it a clean bill of health. Server side AV software will not be able to discover
any code or sample contained within this ISO file and it will not raise suspicion even
if you know exactly what you are looking for (Which is for example great to hide your implants
or Exfiltration/Pivot Server).
There is a lot more to be said about this bug class, so rather than bore you with it in
this advisory I provide a link to my 2009 blog post
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
IV. Patch / Advisory
—————————-
I advise customers on scancl.exe (or Unix Variant) to change to another vendor as Avira
is apparently no longer maintaining it, and apparently also not warning customers about
vulnerabilities
Furthermore should be be an enterprise customer of the OEM Partners above I suggest to
reach out to the vendor in order to understand whether this flaw was patched downstream
in their respective products.
I recommend to the amavisd project to warn users of this facts
https://gitlab.com/amavis/amavis/blob/master/amavisd.conf
In case you have any further questions please direct them to Avira, the above is based on
the best of my knowledge and since AVIRA does not release Advisories we are left in the dark
as to what they officially recommend.
V. Disclosure timeline
—————————-
How Avira handled these reports in 2009 :
https://blog.zoller.lu/2009/04/avira-antivir-generic-cab-bypass.html
The below is a summary of 2-3 evasion reports that I have submitted.
How Avira handled this one :
15/10/2019
Submitted Proof of Concept
15/10/2019
Avira asks me to send a new POC using «EICAR»
(Eicar can only be compressed via forcing special compression mode – I refuse)
22/10/2019
Avira forwards to tech department
25/10/2019
Avira argues that this would be the same as adding a password to the file. «You could achieve the same effect by setting a password on the ZIP Archive,
or encrypting the file in any way. This would also make it impossible to scan the file. »
26/10/2019
I reply that Avira offers products that have no on access scanner (Commandline, Gateway Products) and point again
to my blog post discussing these common arguments and the overall threat model.
Avira replies by basically ignoring the details given above:
«We analyzed your report again. After careful consideration we still have to decline your report for multiple reasons.
First of all, the product you used in your evaluation (scancl.exe) is no longer supported by Avira and not used
as standalone product.»
Editor Note: Their command line scanner (scancl.exe) is in reality still available on their website as of today and
is being used by a massive amount of customers especially as you can easily include it in AMAVIS.
It can still be activated via license and AVIRA still recommends customers to install it.
https://www.avira.com/documents/products/pdf/es/man_avira_antivir-unix_server_en.pdf (Section 3.5)
Avira then shifts the blame to their OEM partners and customers :
«Additionally we checked the behavior of our engine on your reported cases. When the engine encounters a corrupted
archive, we intentionally do not try to attempt to extract the file and instead report back a warning to the product
(As shown in your output). It is up to the integrator of the engine, on how to handle these cases and depends on
the security model of the setup.»
«Our recommendation is to block these files, but as stated before, this is up to the integrators and the specific setup.
There are also good reasons not to block these files, while still ensuring the security of our customers. Our AV products
for example clients skips these files on scans, because a virus cannot be executed when stored in an archive. As soon as
you extract the file, our OnAccess scanner scans the file, and blocks the execution of the file, so that our customers
are protected»
Editors note: Again ignoring the many products that have no on access scanner or where the on access scanner is not effectively
used.
«A similar behavior is conducted when scanning encrypted files, or self developed archive types. Both types cannot be scanned,
but it would be unwise to block these files in general, since you surely agree, that many encrypted files are not harmful and desired.
Please be aware that this reply also applies to your other reports.»
28/10/2019
After I reiterated the threat model I get the following reply (Ignoring that their other products can’t parse the container
either)
«Yes we rejected the used application, because it is not designed to be used as standalone product.»
Editors note: Yet Avira gives guidance on how to configure command line scanners to be used within gateway products as a
standalone product (see tech documentation on Vendor website)
«Therefore, having a warning that the file is corrupted (as it is) and can’t be scanned, is the most secure option.»
Editors Note : In some cases it is indeed, but that’s missing the point of this report.
«It then depends, as mentioned in my previous mails, on the integrator of the Engine on how to proceed. For our consumer
products for example, the file will be skipped and scanned as soon as an application tries to extract the file with
our OnAccess scanner. This is also the default process for encrypted files or own defined, unknown data formats
(as you have when you deviate from the ZIP standard).»
Editors note: Avira continues to ignore that Avira sells products where on access scanners are not present OR are no efficient.
«We have acknowledged that you may publish your report as a blog posting. Please do not mention any names,
as this would be against GDPR laws.»
Editor Note: Somewhere in between this I informed Avira that according the policy I shared I will publish
the details effective immediately and no longer coordinate any future vulnerability with Avira.
08/11/2019
I report more bypasses, in order to be able to handle and coordinate these reports I reported to a
protected bugtracking platform. Informed Avira and send them the links to the POC.
«Is there any other communication possible to disclose vulnerabilities to us in a responsible way?
Please feel free to sent us the submissions via email, as all other security researcher are doing.
We will not register to any third party bugtracker.»
Editor note:Note the passive aggressive implicitelypointer to not being reponsible by submitting them
all details via a private bugtracker.
I inform avira that every other AV vendor is ok to use it and I’d expect them to do so as well as I cant
handle 100 of reports in my free time without the proper tooling.
«Registering to an external bugtracker is not only very uncommon, but also not aligned to the most
respected responsible disclosure policies (e.g. of Google or Microsoft) which inform vendors also via email.
Your approach is also not compliant to your own set responsible disclosure policy (Point 2):
—
When a security contact or other relevant e-mail address has been identified, a vendor initially receives a mail with vulnerability details along with a pre-set disclosure date (usually set to a Wednesday 4 weeks later).
— Source: https://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Therefore we would appreciate to receive the details about your findings via email.»
11/11/2020
I hence reply :
«You have received an email and a disclosure date together with a link on where to find further information. That actually meets the below.
Now would you be so kind to actually focus on the matter at hand ? The matter at hand are potential vulnerability reports that are offered to you,
for free. »
No further reply.
13/11/2019
I am «escalating» to the CTO of Avira as we appear to be connected on Linked in.
no reply
16/11/2019
Kind Reminder
no reply
20/11/2019
Giving it one last try – a discussion happens.
25/11/2019
Avira security lead contacts me on linkedin. We discuss coordination and disclosure terms/details
28/11/2019
Submit POC
04/12/2019
«The feature was added to the engine version number 8.3.54.138, which we started to
ship today at 03:00pm CET.»
Editor note : Feature.