Copyright © 1995-2013 LinuxRocket.net. All rights reserved.
|New User, Welcome! Login
[TZO-09-2009] NOD32 (Eset) bypass / evasion (Limited details)
||Thierry Zoller <Thierry Zoller lu>
||NTBUGTRAQ <NTBUGTRAQ LISTSERV NTBUGTRAQ COM>, bugtraq <bugtraq securityfocus com>, full-disclosure <full-disclosure lists grok org uk>, <info circl etat lu>, <vuln secunia com>, <cert cert org>, <nvd nist gov>, <cve mitre org>
||[TZO-09-2009] NOD32 (Eset) bypass / evasion (Limited details)
||Fri - Apr 17, 2009 07:50 AM
From the low-hanging-fruit-department - Nod32 bypass/evasion
Release mode: Coordinated but limited disclosure.
Ref : TZO-092009 - Nod32 Evasion RAR
WWW : http://blog.zoller.lu/2005/04/nod32-eset-generic-evasion-limited.html
Vendor : http://www.eset.com/
Security notification reaction rating : Good enough
Notification to patch window : 14 days
Intersting backround statistics:
Time required to coordinate disclosure and write the advisory: 2,5 hours
Time required to find the bug : 25 minutes
Disclosure Policy :
Affected products :
- ESET Smart Security 4 (before 15/04/2009)
- ESET NOD32 Antivirus 4 (before 15/04/2009)
- ESET Smart Security 4 Business Edition (before 15/04/2009)
- ESET NOD32 Antivirus 4 Business Edition (before 15/04/2009)
- ESET NOD32 Antivirus for Exchange Server (before 15/04/2009)
- ESET Mail Security (before 15/04/2009)
- ESET NOD32 Antivirus for Lotus Domino Server (before 15/04/2009)
- ESET File Security (before 15/04/2009)
- ESET Novell Netware (before 15/04/2009)
- ESET DELL STORAGE SERVERS (before 15/04/2009)
- ESET NOD32 Antivirus for Linux gateway devices (before 15/04/2009)
- Command line version : NOD32 prior to 3.0.677
ESET develops software solutions that deliver instant, comprehensive protection
against evolving computer security threats. ESET NOD32® Antivirus, is the flagship
product, consistently achieves the highest accolades in all types of
comparative testing and is the foundational product that builds
out the ESET product line to include ESET Smart Security.
The parsing engine can be bypassed by a specially crafted and formated
RAR archive. Details are currently witheld due to other vendors that are
in process of deploying patches.
A general description of the impact and nature of AV Bypasses/evasions
can be read at :
The bug results in denying the engine the possibility to inspect
code within the RAR archive. There is no inspection of the content
IV. Disclosure timeline
04/04/2009 : Send proof of concept, description the terms under which
I cooperate and the planned disclosure date
09/04/2009 : Resend notification with an indication this will be the last
attempt to responsibly disclose.
09/04/2009 : Eset acknowledges receipt and previous receipt and apologises
for not being able to answer due to an internal
miscommunication. Patch will be deployed on the 15th of April.
09/04/2009 : Ask where changelog/advisory will be posted to
09/04/2009 : Eset responds that credit will be included in changelogs
17/04/2009 : Release of this advisory
Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!