AVIRA Generic Antivirus Bypass

AVIRA engine versions below 8.3.54.138 suffer from a generic bypass vulnerability. The parsing engine supports the ISO container format. The parsing engine can be bypassed by specifically manipulating an ISO container so that it can be accessed by an end-user but not the Anti-Virus software. The AV engine is unable to scan the container and gives the file a "clean" rating.


MD5 | c0e4ae9f187665effb5e7ea15ffb7ef3


________________________________________________________________________

From the low-hanging-fruit-department
AVIRA Generic Malformed Container bypass (ISO)
________________________________________________________________________

Release mode : Silent Patch by Avira - Coordinated otherwise
Ref : [TZO-01-2019] - AVIRA Generic AV Bypass
Vendor : AVIRA
Status : Patched (AV Engine above 8.3.54.138)
CVE : none provided, silent patch
Blog : https://blog.zoller.lu
Vulnerability Dislosure Policy: https://caravelahq.com/b/policy/20949

Introduction
============
10 years ago I took a look at ways to evade AV/DLP Engine detection by
using various techniques and released a metric ton of Advisories. 10
years later after multiple CISO type roles I wanted to deep dive again
and see how far (or not) the AV industry has reacted to this class of
vulnerabilities.

These types of evasions are now actively being used in offensive
operations [1]. To my surprise with a few exceptions most AV Vendors
haven't, in some cases I found the very same vulnerabilities that were
patched and disclosed years ago.

Worse than that is the fact that some vendors that were very
collaborative in 2008/2009 have now started to ignore submissions
(until I threaten disclosure) or are trying to argue that generically
evading AV detection is not a vulnerability.

A lot of exchanges took place on this matter, for instance one vendor
argued that this could not be called a vulnerability because it would
not impact Integrity, Availability or Confidentiality so it can't
possible be a vulnerability.

Even more bothering to me is how the bu bounty platform have created a
distorted Reporter/Vendor relationship and mostly are executed to the
detriment of the customers.I am collecting my experiences and will write
a blog post about this phenomenon.

There will by many more advisories, hoping that I can finally eradicate
this bug class and I don't have to come back to this 10 years from now
again.

[1]
https://www.bleepingcomputer.com/news/security/specially-crafted-zip-files-used-to-bypass-secure-email-gateways/
https://www.techradar.com/news/zip-files-are-being-used-to-bypass-security-gateways

Affected Products
=================
AV Engine below 8.3.54.138

All Avira products :
- Avira Antivirus Server
- Avira Antivirus for Endpoint
- Avira Antivirus for Small Business
- Avira Exchange Security (Gateway)
- Avira Internet Security Suite for Windows
- Avira Prime
- Avira Free Security Suite for Windows
- Cross Platform Anti-malware SDK

Attention:
Avira does not patch or update their very popular command line scanner
that is still available for download on their website. Since Avira does
not release and advisory their customers are none
the wiser.

Avira licenses it's engine to many OEM Partners. The OEM Partners that
use the Avira Engine may be vulnerable or not. I would advise that you
reach out to the vendors listed below to know whether you are affected
or not. OEM Partners
can reach out to me to retreive the POC in order to test.

AVIRA OEM Partners:
- F-Secure
- Sophos
- Barracude
- Alibaba Cloud Security
- Check Point
- CUJO AI
- TP-Link
- FujiSoft
- AWS
- Rohde and Schwarz
- Careerbuilder
- Huawei
- Dracoon
- Total Availability
- FixMeStick
- APPVISORY
- Tabidus
- Cyren


Source :
https://oem.avira.com/en/partnership/our-partners


I. Background
----------------------------
Quote: "We protect people—like you—across all devices, both directly and
via our OEM partnerships.We provide a wide variety of best-in-class
solutions to enhance your protection, performance,
and online privacy—ranging from antivirus to VPN and cleanup technologies.

A server security should get special attention, as a single employee
might store a malicious file on the network and instantly cause a
cascading damage across the entire organization.
With Avira's solutions for server security you can prevent such
scenarios by protecting your network, data, and web traffic. "

Avira has the Trust Seal or the
http://www.teletrust.de/itsmig/


II. Description
----------------------------
The parsing engine supports the ISO container format. The parsing engine
can be bypassed by specifically manipulating an ISO container so that
it can be accessed by an end-user but
not the Anti-Virus software. The AV engine is unable to scan the
container and gives the file a "clean" rating.

I may release the details after all known vulnerable vendors have
patched their engines.


III. Impact
----------------------------
Impacts depends on the contextual use of the product and engine within
the organisation
of a customer. Gateway Products (Email, HTTP Proxy etc) may allow the
file through unscanned
and give it a clean bill of health. Server side AV software will not be
able to discover
any code or sample contained within this ISO file and it will not raise
suspicion even
if you know exactly what you are looking for (Which is for example great
to hide your implants
or Exfiltration/Pivot Server).

There is a lot more to be said about this bug class, so rather than bore
you with it in
this advisory I provide a link to my 2009 blog post
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

IV. Patch / Advisory
----------------------------
I advise customers on scancl.exe (or Unix Variant) to change to another
vendor as Avira
is apparently no longer maintaining it, and apparently also not warning
customers about
vulnerabilities

Furthermore should be be an enterprise customer of the OEM Partners
above I suggest to
reach out to the vendor in order to understand whether this flaw was
patched downstream
in their respective products.

I recommend to the amavisd project to warn users of this facts
https://gitlab.com/amavis/amavis/blob/master/amavisd.conf


In case you have any further questions please direct them to Avira, the
above is based on
the best of my knowledge and since AVIRA does not release Advisories we
are left in the dark
as to what they officially recommend.

V. Disclosure timeline
----------------------------

How Avira handled these reports in 2009 :
https://blog.zoller.lu/2009/04/avira-antivir-generic-cab-bypass.html

The below is a summary of 2-3 evasion reports that I have submitted.

How Avira handled this one :

15/10/2019
Submitted Proof of Concept

15/10/2019
Avira asks me to send a new POC using "EICAR"
(Eicar can only be compressed via forcing special compression mode - I
refuse)

22/10/2019
Avira forwards to tech department

25/10/2019
Avira argues that this would be the same as adding a password to the
file. "You could achieve the same effect by setting a password on the
ZIP Archive,
or encrypting the file in any way. This would also make it impossible to
scan the file. "

26/10/2019
I reply that Avira offers products that have no on access scanner
(Commandline, Gateway Products) and point again
to my blog post discussing these common arguments and the overall threat
model.

Avira replies by basically ignoring the details given above:
"We analyzed your report again. After careful consideration we still
have to decline your report for multiple reasons.
First of all, the product you used in your evaluation (scancl.exe) is no
longer supported by Avira and not used
as standalone product."

Editor Note: Their command line scanner (scancl.exe) is in reality still
available on their website as of today and
is being used by a massive amount of customers especially as you can
easily include it in AMAVIS.
It can still be activated via license and AVIRA still recommends
customers to install it.
https://www.avira.com/documents/products/pdf/es/man_avira_antivir-unix_server_en.pdf
(Section 3.5)

Avira then shifts the blame to their OEM partners and customers :
"Additionally we checked the behavior of our engine on your reported
cases. When the engine encounters a corrupted
archive, we intentionally do not try to attempt to extract the file and
instead report back a warning to the product
(As shown in your output). It is up to the integrator of the engine, on
how to handle these cases and depends on
the security model of the setup."

"Our recommendation is to block these files, but as stated before, this
is up to the integrators and the specific setup.
There are also good reasons not to block these files, while still
ensuring the security of our customers. Our AV products
for example clients skips these files on scans, because a virus cannot
be executed when stored in an archive. As soon as
you extract the file, our OnAccess scanner scans the file, and blocks
the execution of the file, so that our customers
are protected"

Editors note: Again ignoring the many products that have no on access
scanner or where the on access scanner is not effectively
used.

"A similar behavior is conducted when scanning encrypted files, or
self developed archive types. Both types cannot be scanned,
but it would be unwise to block these files in general, since you
surely agree, that many encrypted files are not harmful and desired.
Please be aware that this reply also applies to your other reports."

28/10/2019
After I reiterated the threat model I get the following reply (Ignoring
that their other products can't parse the container
either)

"Yes we rejected the used application, because it is not designed to be
used as standalone product."

Editors note: Yet Avira gives guidance on how to configure command line
scanners to be used within gateway products as a
standalone product (see tech documentation on Vendor website)

"Therefore, having a warning that the file is corrupted (as it is) and
can't be scanned, is the most secure option."
Editors Note : In some cases it is indeed, but that's missing the point
of this report.

"It then depends, as mentioned in my previous mails, on the integrator
of the Engine on how to proceed. For our consumer
products for example, the file will be skipped and scanned as soon as an
application tries to extract the file with
our OnAccess scanner. This is also the default process for encrypted
files or own defined, unknown data formats
(as you have when you deviate from the ZIP standard)."

Editors note: Avira continues to ignore that Avira sells products where
on access scanners are not present OR are no efficient.

"We have acknowledged that you may publish your report as a blog
posting. Please do not mention any names,
as this would be against GDPR laws."

Editor Note: Somewhere in between this I informed Avira that according
the policy I shared I will publish
the details effective immediately and no longer coordinate any future
vulnerability with Avira.

08/11/2019
I report more bypasses, in order to be able to handle and coordinate
these reports I reported to a
protected bugtracking platform. Informed Avira and send them the links
to the POC.

"Is there any other communication possible to disclose vulnerabilities
to us in a responsible way?
Please feel free to sent us the submissions via email, as all other
security researcher are doing.
We will not register to any third party bugtracker."

Editor note:Note the passive aggressive implicitelypointer to not being
reponsible by submitting them
all details via a private bugtracker.
I inform avira that every other AV vendor is ok to use it and I'd expect
them to do so as well as I cant
handle 100 of reports in my free time without the proper tooling.

"Registering to an external bugtracker is not only very uncommon, but
also not aligned to the most
respected responsible disclosure policies (e.g. of Google or Microsoft)
which inform vendors also via email.
Your approach is also not compliant to your own set responsible
disclosure policy (Point 2):

When a security contact or other relevant e-mail address has been
identified, a vendor initially receives a mail with vulnerability
details along with a pre-set disclosure date (usually set to a Wednesday
4 weeks later).
— Source:
https://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Therefore we would appreciate to receive the details about your findings
via email."


11/11/2020
I hence reply :
"You have received an email and a disclosure date together with a link
on where to find further information. That actually meets the below.
Now would you be so kind to actually focus on the matter at hand ? The
matter at hand are potential vulnerability reports that are offered to you,
for free. "

No further reply.

13/11/2019
I am "escalating" to the CTO of Avira as we appear to be connected on
Linked in.
no reply

16/11/2019
Kind Reminder
no reply

20/11/2019
Giving it one last try - a discussion happens.

25/11/2019
Avira security lead contacts me on linkedin. We discuss coordination and
disclosure terms/details

28/11/2019
Submit POC

04/12/2019
"The feature was added to the engine version number 8.3.54.138, which we
started to
ship today at 03:00pm CET."

Editor note : Feature.







Related Posts