________________________________________________________________________

                 From the low-hanging-fruit-department
             Avira Antivir generic RAR,CAB,ZIP,LH evasion
________________________________________________________________________

CHEAP Plug :
************
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed!
************

Release mode: Coordinated but limited disclosure.
Ref         : [TZO-28-2009] - Avira Antivir generic RAR,CAB,ZIP
WWW         : t.b.a
Vendor      : http://www.avira.com
Status      : Patched (Engine-Version:  AV7 7.9.0.180 / AV8/9 8.2.0.180)
(Re)Discovered  : 2005 by froggz, 2007 by Thierry Zoller, 2009 by Roger Mickael 
                 (please give appropriate credit - only when notified and pressured
                  under disclosure terms vendors fix these, even if they are known
                  since years. PS this is not exclusive to AVIRA)
CVE         : none provided
Credit      : t.b.a
OSVDB vendor entry: none [1]

Security notification reaction rating : good
Notification to patch window : 22 days

Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
- Avira AntiVir Free 
- Avira AntiVir Premium 
- Avira AntiVir Premium Security Suite 
- Avira AntiVir Professional (Desktop)
- Avira AntiVir Server 
- Avira AntiVir Exchange 
- Avira AntiVir SharePoint
- Avira AntiVir ISA Server
- Avira AntiVir MIMEsweeper 
- Avira AntiVir for KEN! 4 
- Avira AntiVir Virus Scan Adapter for SAP NetWeaver®
- Avira AntiVir Professional (Unix) 
- Avira AntiVir Server (Unix) 
- Avira AntiVir MailGate 
- Avira AntiVir WebGate 

I. Background
~~~~~~~~~~~~~
Quote: "Avira AntiVir is a reliable free antivirus solution, that constantly 
and rapidly scans your computer for malicious programs such as viruses, 
Trojans, backdoor programs, hoaxes, worms, dialers etc. Monitors 
every action executed by the user or the operating system and reacts 
promptly when a malicious program is detected."


II. Description
~~~~~~~~~~~~~~~
The Anti-virus engine could by bypassed by special crafted files. The root
cause was the same for RAR,CAB,ZIP,LH. 

III. Impact
~~~~~~~~~~~
The engine could be bypassed remotely, the malware was no longer detected.
An issue especially with Gateway solutions. To know more about the impact 
and type of "evasion", I updated the description at 
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html


IV. timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY

07/05/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date.
                         
08/05/2009 : Avira replies that "Roger Mickael" reported a similar issues
                                 
08/05/2009 : Sent another POC in other formats then reported previously

11/05/2009 : Avira asks for a delay

27/05/2009 : Avira informs me that "please be informed that we've just 
             released the fixed engine files to the public (27th of May, 
             19:19 pm CET): Engine-Version: AV7 7.9.0.180 / AV8/9 8.2.0.180
                         
29/05/2009 : Release of this advisory.
                         

[1]
Avira is encouraged to leave their security contact details at
http://osvdb.org/vendor/1/AVIRA%20GmbH to facilate
communication and reduce lost reports.