Vulnerabilities in several security products
Several security products have been reported as having vulnerabilities which can circumvent the filtering or allow for denial of service attacks. ClamAV versions prior to 0.05, for example, can be fooled into not scanning groomed RAT archives and malformed TAR files can put it into an infinite loop when it attempts to process them. Also when scanning executable files with the
-detect-broken option set, the ClamAV scanner can crash with a divide by zero error. These errors are eliminated in ClamAV 0.95.
F-Prot has a problem with manipulated headers in ZIP files which can also allow a potentially infected files to pass the scanners undetected. According to security specialist Theirry Zoller, the bug was reported four years ago to the makers, FRISK. FRISK acknowledge the error, but rate it as only minor and wants to repair it in the upcoming version 4.5 of its scanning engine.
According to Zoller, it may also be that IBM's Proventia may be unable to scan crafted RAR archives. An archive could end up on the desktop and could be opened by the user, resulting in infection, but Zoller points out that the client side impact is lessened as the extracted files should also be scanned. Zoller is holding back the details for two weeks; IBM has been informed of the vulnerability but has so far not responded.
Zoller has been considering these problems as an issue for gateways and servers, rather than the desktop.
- ClamAV 0.94 and below - Evasion and bypass due to malformed archive, report by Thierry Zoller.
- clamd and clamscan get hung up by interesting file, 0.94.2, bug report from ClamAV.
- Division by zero with --detect-broken, bug report from ClamAV.
- Potential parser (logic) bug #1 - RAR size, bug report from ClamAV.
- F-Prot bypass/evasion - Zip Method Field, report by Thierry Zoller.
- IBM Proventia - Evasion (limited details), report from Thierry Zoller.