BitDefender AntiVirus Fails to Scan All of Multiple Attachments
SecurityTracker Alert ID: 1014495|
SecurityTracker URL: http://securitytracker.com/id/1014495
(Links to External Site)
Updated: Jun 24 2008|
Original Entry Date: Jul 15 2005
Host/resource access via network|
Exploit Included: Yes |
Version(s): 1.6.1 and prior versions|
A vulnerability was reported in BitDefender AntiVirus for Linux/FreeBSD. A remote user can bypass the antivirus scanning protection.|
A remote user can send an e-mail message with multiple attachments to cause the attachments following the first one to not be scanned.
The vendor was notified on July 4, 2005.
Alexander 'xaitax' Hagenah reported this vulnerability.
A remote user can send a malicious attachment that will not be scanned by the anti-virus engine.|
The vendor has issued a fix.|
Vendor URL: www.bitdefender.com/ (Links to External Site)
Access control error, State error|
|Underlying OS: Linux (Any), UNIX (Any)|
Source Message Contents
--/ INTRODUCTION --
Advisory : 05_07_14-bitdefender_malicious_content_bypass
Release Date : 14. July 2005
Application : BitDefender Antivirus
Impact : Malicious content bypass
Author : Alexander 'xaitax' Hagenah [ah at primepage dot de]
--/ SYSTEMS AFFECTED --
BitDefender running on Linux/BSD
* Engine 1.6.1 and prior
--/ VENDOR --
Informed : 04. July 2005
Response : 05. July 2005
Patched : 13. July 2005
--/ ABOUT --
BitDefender Antivirus & Antispam for Linux and FreeBSD Mail Servers
The BitDefender solutions for Mail Servers running on Linux and FreeBSD
platforms provide content security at the gateway level, by scanning
all the inbound and outbound e-mail traffic for malware and spam.
--/ SUMMARY --
The BitDefender-Mail Server Scan-Engine is vulnerable against a simple
A Scan-Engine normally splits a mail into header, body and attachments.
So the Scan-Engine is easily able to scan all the attachments in it's
If there is more than one element, it simply jumps to the following and
does it's job again.
Not this one - in this engine only the first element is counted and
scanned. If there is more than one attachment, the following ones are
ignored. So you could simply add somewhere into the mail the following
Now the engine expect this to be the first attachment and stops
scanning the mail. So there is no problem to add an attachment with
malicious content which will be ignored by the BitDefender scanner.
This only depends to UUencoded mails. For more information about
UUencode take a look at http://en.wikipedia.org/wiki/Uuencode.
--/ REPRODUCE --
If the engine is somewhere productive running, you can test it - maybe
with EICAR as attachment - and put into the body the begin/end content.
If not, there is a evaluation version to download on the
--/ PATCH --
The patch is automatically downloaded by the bitdefender update engine.
It works with all versions, because all updates are transferred into
--/ CONTACT --
This advisory is provided by:
- ( x a i t a x - s e c u r i t y ) -
http://xaitax.de | ah at primepage dot de
top concepts Internetmarketing GmbH
http://topconcepts.de | hagenah at topconcepts dot de