[TZO-05-2009] Clamav 0.94 and below - Evasion /bypass Apr 02 2009 02:27PM
Thierry Zoller (Thierry Zoller lu)

From the low-hanging-fruit-department - Generic ClamAV evasion

Release mode: Coordinated but limited disclosure.
Ref : TZO-062009- ClamAV Evasion
WWW : http://blog.zoller.lu/2009/04/clamav-094-and-below-evasion-and-bypass.ht
Vendor : http://www.clamav.net &
Security notification reaction rating : Good.
Disclosure Policy :

Affected products :
- ClamAV below 0.95
Includes MACOSX server,IBM Secure E-mail Express Solution for System
and a lots of mail appliances.

About this advisory
I used to not report bugs publicly where a a vendor - has not reacted
to my notifications - silently patched. I also did not publish
low hanging fruits as they make you look silly in the eyes of your

Over the past years I had the chance to audit and test a lot of critical
infrastructures that, amongst other things relied on security products
(and on security notifications from vendors) and have witnessed various
ways of setting up your defenses that make some bugs critical that
you'd consider low at first glance, I came to the conclusion that most
bugs deserve disclosure.

Please see "Common misconceptions" for more information.

I. Background
Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX,
designed especially for e-mail scanning on mail gateways. It provides
a number of utilities including a flexible and scalable multi-threaded
daemon, a command line scanner and advanced tool for automatic
database updates. The core of the package is an anti-virus engine
available in a form of shared library.

II. Description
The parsing engine can be bypassed by manipulating RAR archive in
a "certain way" that the Clamav engine cannot extract the content but
the end user is able to. Details are currently witheld (thanks to IBM).

III. Impact
The bug results in denying the engine the possibility to inspect
code within the RAR archive. While the impact might be low client-
side (as code is inspected upon extraction by the user) the impact
for gateways or AV infrastructure where the archive is not extracted
is considerable. There is no inspection of the content at all, prior
disclosure therefore referred to this class of bugs as Denial of service
(you deny the service of the scan engine for that file) however I
choose to stick the terms of evasion/bypass, being the primary impact
of these types of bugs.

PS. I am aware that there are hundreds of ways to bypass, that however
doesn't make it less of a problem. I am waiting for the day where the
first worm uses these techniques to stay undetected over a longer
period of time, as depending on the evasion a kernel update (engine
update) is necessary and sig updates do not suffice. Resulting in
longer window of exposure - at least for GW solutions. *Must make
confiker reference here*

IV. Common misconceptions about this "bug class"
- This has the same effect as adding a password to a ZIP file

The scanner denotes files that are passworded, an example is an E-mail
GW scanner that adds "Attachment not scanned" to the subject line or
otherwise indicates that the file was not scanned. This is not the case
with bypasses, in most cases the engine has not inspected the content
at all or has inspected it in a different way.
Additionally passworded archive files are easily filterable by a content
policy, allowing or denying them.

- This is only an issue with gateway products

Every environment where the archive is not actively extracted by
the end-user is affected. For example, fileservers, databases
etc. pp. Over the years I saw the strangest environments that
were affected by this type of "bug". My position is that customers
deserve better security than this.

- Behavioral analysis will catch this ?
No, the content is unreadable to the AV engine as such no inspection
whatsoever is possible.

- Evasions are the Cross Site scripting of File formats bugs

IV. Disclosure timeline

IBM was sent two POC files, an explanation and the disclosure terms

09/03/2009 : Send proof of concept, description the terms under which
I cooperate and the planned disclosure date (23/03/2009)

13/03/2009 : Clamav responds that the bug is reproducible and will be
fixed in 0.95 to be released the 23/03/2009

(IBM take note, it's that easy.)

23/05/2009 : Asked clamav if the release was made and if credit was

23/05/2009 : Clamav responds that the release was made, and that the
credit was given in the changelog. (Tzo note: A post will
be probably be made at http://www.clamav.net/category/security/

02/01/2009 : Release of this limited detail advisory

Final comments :
I would like to thank Tomasz Kojm (clamav) for the professional
reaction and AV-Test GMBH for their support.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus