[TZO-14-2009] Comodo Antivirus RAR evasion Apr 27 2009 02:41PM
Thierry Zoller (Thierry Zoller lu)

From the low-hanging-fruit-department - Comodo antivir bypass/evasion

Release mode: Coordinated but limited disclosure.
Ref : TZO-142009 - Comodo evasion RAR
WWW : http://blog.zoller.lu/2009/04/comodo-antivirus-evasionbypass.html
Vendor : http://www.comodo.com
Status : Patched
Security notification reaction rating : Good
Notification to patch window : 41 days

Disclosure Policy :

Affected products :
- Comodo Internet Security 3.5.x and 3.8.x (Impact low due to on access scan)
- Comodo Anti-Virus (Impact low due to on access scan)

I. Background
Quote: "Comodo's range of solutions gives businesses the ability
to create online trust through proprietary technology that help
e-businesses convert more customers, retain more customers and
increase lifetime value."

II. Description
The parsing engine can be bypassed by a specially crafted and formated
RAR archive. Details are currently witheld due to other vendors that are
in process of deploying patches.

III. Impact
A general description of the impact and nature of AV Bypasses/evasions
can be read at :

The bug results in denying the engine the possibility to inspect
code within the RAR archive. There is no inspection of the content
at all and hence the impossibility to detect malicious code.

IV. Disclosure timeline
14/03/2009 : Send proof of concept, description the terms under which
I cooperate and the planned disclosure date

No reply

16/03/2009 : Resend notification

23/03/2009 : Comodo answers that the bug has been fixed and will be deployed
in version 3.9 due in end of April.

02/04/2009 : Ask for affected versions.

02/04/2009 : Comodo answers that the ranges 3.5.x and 3.8.x have been affected
and that the sheduled release date is the 25th of April. Credit
will be given in the release notes.

27/04/2009 : Notify comodo that I plan to release the advisory today and assume
the production code has been released in the 25.04.2009

27/04/2009 : Release of this advisory

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus