TECHNICAL BULLETIN

T-131: Multiple AVG Products RAR/ZIP Files Scan Evasion Vulnerability

May 12, 2009 16:00 GMT


PROBLEM:	Multiple AVG products are prone to a vulnerability that may allow certain compressed archives to bypass the scan engine.
PLATFORM:	AVG AVG Anti-Virus 8.0 AVG AVG Anti-Virus 7.5.476 AVG AVG Anti-Virus 7.5.448 AVG AVG Anti-Virus 7.1.407 AVG AVG Anti-Virus 7.1.308 AVG AVG Anti-Virus 7.0.323 AVG AVG Anti-Virus 7.0.251 AVG AVG Anti-Virus 7.0 AVG AVG Anti-Virus 6.0.710
ABSTRACT:	The parsing engine can be bypassed by a specially crafted and formated ZIP (Filelength) archive.

LINKS:
DOE-CIRC BULLETIN:	http://www.doecirc.energy.gov/bulletins/t-131.shtml
OTHER LINKS:	Security Focus http://www.securityfocus.com/archive/1/503392 AVG Homepage http://www.grisoft.com/

IMPACT ASSESSMENT:	This risk is medium. Successful exploits will allow attackers to distribute files containing malicious code that the antivirus application will fail to detect.

Problem:
Multiple AVG products are prone to a vulnerability that may allow certain compressed archives to bypass the scan engine. 

Platforms:
AVG AVG Anti-Virus 8.0 
AVG AVG Anti-Virus 7.5.476 
AVG AVG Anti-Virus 7.5.448 
AVG AVG Anti-Virus 7.1.407 
AVG AVG Anti-Virus 7.1.308 
AVG AVG Anti-Virus 7.0.323 
AVG AVG Anti-Virus 7.0.251 
AVG AVG Anti-Virus 7.0 
AVG AVG Anti-Virus 6.0.710 

Abstract:
The parsing engine can be bypassed by a specially crafted and formated ZIP (File length) archive.

References:
Security Focus
http://www.securityfocus.com/archive/1/503392
AVG homepage
http://www.grisoft.com/

DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at:

    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov

UCRL-MI-119788