Advisory: F-Prot (Frisk) - CAB bypass / evasions Release mode: Coordinated but limited disclosure Vendor: http://www.f-prot.com Status: Current version not patched, next engine version patched. Date unknown, vendor doesn't answer any longer. Affected products: - F-PROT AVES (High: complete bypass of engine) - F-PROT Antivirus for Windows (unknown) - F-PROT Antivirus for Windows on Mail Servers (High: complete bypass of engine) - F-PROT Antivirus for Exchange (High: complete bypass of engine) - F-PROT Antivirus for Linux x86 Mail Servers (High: complete bypass of engine) - F-PROT Antivirus for Linux x86 File Servers (High: complete bypass of engine) - F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine) - F-PROT Milter for example sendmail (High: complete bypass of engine) - F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete bypass of engine) - F-Prot Antivirus for Linux x86 Workstations (unknown) OEM Partners affected: Autentium (all) OEM Partner unknown status: - Sendmail, Inc. - G-Data Disclosure timeline: - 10/04/2009: Sending proof of concept, description of the terms under which cooperate and the planned disclosure date - 15/04/2009: FRISK responds that they were unable to find any archive program that is able to extract the file and that some archive programs tested suffer from an integer overflow extracting the file - 15/04/2009: Inform FRISK that the sample should extract fine - 20/04/2009: FRISK responds that they were unable to find any archive program that is able to extract the file - 20/04/2009: Inform FRISK that the sample should extract fine - 22/04/2009: FRISK responds that they were unable to find any archive program that is able to extract the file. However it will be patched nonetheless "being low-priority, it will not be added to the 4.4 branch. In other words, the fix will be included in the next engine released" - 22/04/2009: Sending FRISK a slightly modified POC (same field, different value) that extracts fine and still bypasses the engine. Ask vendor to confirm that the new engine catches the POC - 27/04/2009: Resending previous mail asking to check whether the patch has been effectively closed - 08/05/2009: Release of this advisory