________________________________________________________________________

                    From the facepalm department
              Kaspersky and the silent fix that wasn't
                            PDF Evasion
________________________________________________________________________

Release mode: Forced disclosure
Ref         : [TZO-30-2009] - Kaspersky PDF evasion (Forced disclosure)
WWW         : http://blog.zoller.lu/2009/05/advisory-kaspersky-generic-pdf-evasion.html
Vendor      : http://www.kaspersky.com/
Status      : Silent fix that doesn't work - No appropriate patch
CVE         : none provided
Credit      : none given
OSVDB vendor entry: No [1]

Security notification reaction rating : Catastropic

Not only did the headquarter not answer, they (tried) to patch this
vulnerability silently, only to fail at it. See Timeline.

This is not the first time that Kaspersky did not answer but patched
bugs without credit, advisory or anything. This is however the last
time I will not disclose, I am no longer part of an entity that tolerates
irresponsible non-disclosure.

A professional reaction to a vulnerability notification is a way to measure
the maturity of a vendor in terms of security. Kaspersky is given a grace
period of two (2) weeks to reply to my notifications. Failure to do so will
result in details of all the other reported bugs be released in two (2) weeks.

Notification to patch window : x+n
Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products (all versions) :
- Kaspersky Internet Security
- Kaspersky Anti-Virus
- Kaspersky Mobile Security
- Kaspersky Small Office Security
- Kaspersky Open Space Security
  - Kaspersky Business Space Security
  - Kaspersky Work Space Security
  - Kaspersky Enterprise Space Security
- Kaspersky Targeted Security
- KasperskyŽ Anti-Virus for Microsoft ISA Server
- KasperskyŽ Anti-Virus for Proxy Server
- KasperskyŽ Anti-Virus for Check Point Firewall-1
- KasperskyŽ Anti-Virus for Windows Server
- KasperskyŽ Anti-Virus for Windows Server Enterprise Edition
- KasperskyŽ Anti-Virus for Novell NetWare
- KasperskyŽ Anti-Virus for Linux File Server
- KasperskyŽ Anti-Virus for Samba Server
- KasperskyŽ Security for Microsoft Exchange 2007
- KasperskyŽ Security for Microsoft Exchange 2003
- KasperskyŽ Anti-Virus for Lotus Notes/Domino
- KasperskyŽ Anti-Virus for Windows Workstation
- KasperskyŽ Anti-Virus for Linux Workstation
- KasperskyŽ Anti-Virus for Linux Mail Server
- KasperskyŽ Mail Gateway
- KasperskyŽ Anti-virus for MIMEsweeper

See notification and disclosure terms for details about this list.

I. Background
~~~~~~~~~~~~~
Quote: "We develop, produce and distribute information security solutions that
protect our customers from IT threats and allow enterprises to manage risk.
We provide products that protect information from viruses, hackers and spam
for home users and enterprises and offer consulting services and technical
support. "


II. Description
~~~~~~~~~~~~~~~
The PDF files are not parsed correctly, a PDF file starts with the magic
byte "%PDF" and ends with the magic byte "%%EOF", everything in between
those markers is parsed and interpreted. Furthermore PDF files are read from
the bottom to the top.

Adobe Acrobat nor the FoxitReader care too much about the data that
comes prior the magic byte, the kaspersky engine does, not only does
it care, it fails to detect the malware inside the PDF file.

I will spare you the details, a PDF file is bascialy a container that
starts with %PDF and ends with %%EOF.

What follows are the details of this evasion, note this one is generic
and the easiest one, there are plenty more. What you read below is true
as amazing as it might seem, you can't have it more simple.

Example of a malicious PDF file [2]+[3] :

  %PDF
  Malicious content here
  %%EOF

Doing :

  Enter stuff here, like random text.
  %PDF
  Malicious content here
  %%EOF

This has the result that the malware is no longer being detected.
Note: Not a single byte of the malware itself been altered, and strictly speaking
the content that represent a PDF file hasn't been changed at all.

This has been tested with several malicious PDF files and represents
a generic evasion of all PDF signatures and heuristics.

Kaspersky was given the PoC file directly through myself and F-Secure,  they
went ahead an patched this by adding a signature for the POC file, adding
a PE header in front of a PDF file (with a PDF extension) still evades detection
and the exploit still triggers when opening the file with Adobe. Thus the
patch is flawed by design.

III. Impact
~~~~~~~~~~~
The heuristics can be bypassed by a special formated PDF "container", this
leads to the bypass of malicious PDF files, old or new. This is not a
bypass that relies on archive structures but relies on evading certain
code paths in the av engine "through various means".

A general description of the impact and nature of AV Bypasses/evasions
can be read at :  http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

Note: Certain vendors confirmed this to bypass their engine at runtime.

IV. Timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
15/05/2009 : Send proof of concept, description the terms under which
             I cooperate and the planned disclosure date.

             no reply

xx/05/2009 : F-Secure sends the same sample to Karspersky

01/06/2009 : Re-sending the proof of concept, description the terms under which
             I cooperate and the planned disclosure date.

             no reply

03/06/2009 : F-Secure informs me that the sample was submitted to Kaspersky

03/06/2009 : Informed F-secure to communicate with Kaspersky and please ask
             them to reply to my notifications.

03/06/2009 : Kaspersky Moscow visits my blog, searches for "AVP" and "Kaspersky".
             Obviously they received both reports. (see website for pic)

             No reply

04/06/2009 : Discovered that the POC file is now detected by the latest Kaspersky
             update.

04/06/2009 : Discovered that adding a few bytes evades the engine again.
+5minutes

09/06/2009 : Release of this advisory on the blog, tweet. Hoping for any reaction
             prior to sending it to bugtraq

13/06/2009 : Release to Bugtraq et al.

Note (in all fairness): Kaspersky US did acknowledge the receipt of 2 other bugs,
however they  couldn't provide any information or any reaction as Moscow simply
didn't answer them.

[1] http://osvdb.org/vendor/1/Kaspersky%20Labs
[2] http://blog.didierstevens.com/2009/05/14/malformed-pdf-documents/
[3] http://blog.didierstevens.com/2008/04/09/quickpost-about-the-physical-and-logical-structure-of-pdf-files/



main page ATTRITION feedback