Where facts are few, experts are many.

Sample navigation menu:

Home | Objectives | Tools & Research Advisories Blog | Contact |

Advisories

G-SEC™ regularly publishes advisories about vulnerabilities that we discovered during our research. G-SEC™ tries to follow responsible disclosure guidelines whenever possible.

More information »

Advisories

McAfee - Generic PDF detection bypass

Release mode: Coordinated
Reference : [GSEC-49-2009] - McAfee PDF bypass
Vendor : http://www.mcafee.com
Status : Patched
CVE : none attributed yet
Credit : https://kc.mcafee.com/corporate/index?page=content&id=SB10003
           (We disagree on the CVSS rating )
Discovered by : Thierry Zoller (G-SEC)

Affected products :

• All McAfee software that uses DATs including:
• McAfee GroupShield
• McAfee LinuxShield
• McAfee NetShield for NetWare
• McAfee PortalShield
• McAfee Total Protection Service (SaaS)
• McAfee Virex
• McAfee Total Protection™ 2009
• McAfee Internet Security
• McAfee VirusScan USB
• McAfee VirusScan Enterprise
• McAfee VirusScan Enterprise Linux
• McAfee VirusScan Enterprise for SAP
• McAfee VirusScan Enterprise for Storage
• McAfee VirusScan Commandline
• Mcafee SecurityShield for Microsoft ISA Server
• Mcafee Security for Microsoft Sharepoint
• Mcafee Security for Email Servers
• McAfee Email Gateyway
• McAfee Total Protection for Endpoint
• McAfee Active Virus Defense
• McAfee Active VirusScan

I. Background

Quote: "McAfee proactively secures systems and networks from known and as yet undiscovered threats worldwide. Home users, businesses, service providers, government agencies, and our partners all trust our unmatched security expertise and have confidence in our comprehensive and proven solutions to effectively block attacks and prevent disruptions."

II. Description

Improper parsing of the PDF structure leads to evasion of detection of malicious PDF documents at scantime and runtime. This has been tested with several malicious PDF files and represents a generic evasion of all PDF signatures and heuristics.

General information about evasion/bypasses can be found at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

III. Impact

Known PDF exploits/malware may evade signature detection, 0day exploits may evade heuristics.

V. Disclosure timeline
DD.MM.YYYY

• 01.06.2009 - Reported
• 20.10.2009 - McAfee informed us that they published the advisory on their website
  < waiting for others vendors to patch >
• 27.10.2009 - G-SEC releases this advisory
  
  

Note: All trademarks mentioned herein belong to their respective owners.

© 2009 - 2019 G-SEC™