Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Security App Flaws :: bt-21893.htm

Symantec generic PDF detection bypass
Symantec generic PDF detection bypass
Symantec generic PDF detection bypass


             Symantec multiple products - Generic PDF bypass

Cheap plug :
Speaking of PDF - If you are interested in client-side vulnerabilities
visit HACK.LU starting tomorrow [28-30 Oct] with :

* Bypassing the Perimeter: Client Side Exploitation - Nitesh Dhanjani, 
                                                      Billy K Rios
Talks :
* New advances in Office Malware analysis - Frank Boldewin
* PDF Penetration Document Format - Didier Stevens
* Ownage 2.0 - Saumil Shah (who else)
* Malicious PDF origamis strike back - Guillaume Delugr=E9
                                       Frederic Raynal

Release mode: Coordinated
Reference   : [GSEC-47-2009] - Symantec generic PDF bypass
WWW : 
Vendor : 
Status      : Patched
CVE         : none attributed yet
Credit : 
Discovered by : Thierry Zoller (G-SEC)

Affected products : 
- Symantec Mail Security for Domino
- Symantec Mail Security for Microsoft Exchange
- Symantec Mail Security for SMTP
- Symantec Brightmail Gateway
- Symantec AntiVirus for Network Attached Storage
- Symantec AntiVirus for Caching
- Symantec AntiVirus for Messaging
- Symantec Protection for SharePoint Servers
- Symantec Protection Suite
- Symantec Scan Engine
- Symantec Client Security
- Symantec Endpoint Protection
- Symantec AntiVirus Corporate Edition
- Norton Internet Security
- Norton 360
- Norton AntiVirus
- Norton Systemworks

Patch availability :
Patches distributed through automatic updates

I. Background
Quote: "Symantec helps consumers and organizations secure and 
manage their information-driven world. Our software and services 
protect against more risks at more points, more completely and 
efficiently, enabling confidence wherever information is used or stored."

II. Description
Improper parsing of the PDF structure leads to evasion of detection of 
malicious PDF documents at scantime and runtime.
This has been tested with several malicious PDF files and represents
a generic evasion of all PDF signatures and heuristics.

General information about evasion/bypasses can be found at : 

III. Impact
Known PDF exploits/malware may evade signature and heuristic detection, 0day exploits
may evade heuristics.

IV. Disclosure timeline
01.06.2009 - Reported 
12.06.2009 - "This will be posted to our Symantec Product Security Advisory page
             though we are not identifying these issues as vulnerabilities, it's just
             the best method to disseminate this type of product information"
< waiting for others to patch >
27.10.2009 - G-SEC releases this advisory

About G-SEC
G-SEC=99  is  a  vendor independent luxemburgish led IT security consulting
group. More information available at : 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2019 AOH