________________________________________________________________________

                 From the low-hanging-fruit-department
       Avast Generic Malformed Archive Bypass (ZIP GFlag)
________________________________________________________________________

Release mode    : Coordinated Disclosure
Ref             : [TZO-23-2020] - AVAST Generic Archive Bypass (ZIP)
Vendor          : AVAST
Status          : Patched - version 12 and newer
CVE             : CVE-2020-9399

Blog            : 
https://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
Twitter         : https://twitter.com/thierryzoller
Dislosure Policy: https://caravelahq.com/b/policy/20949

Affected Products
=================
Avast Antivirus Pro Plus
Avast Antivirus Pro
Avast Antivirus für Linux

I. Background
=============
Avast is dedicated to creating a world that provides safety and privacy 
for all, no matter who you are, where you are, or how you connect.
Avast is one of the largest security companies in the world using 
next-gen technologies to fight cyber attacks in real time. We differ 
from other next-gen companies in that we have an immense cloud-based 
machine learning engine that receives a constant stream of data from our 
hundreds of millions of users, which facilitates learning at 
unprecedented speeds and makes our artificial intelligence engine 
smarter and faster than anyone else’s.


II. Description
----------------------------
The parsing engine supports the ZIP archive format. The parsing engine 
can be bypassed  by specifically manipulating an ZIP Archve so that it 
can be accessed by an end-user but not the Anti-Virus software. The AV 
engine is unable to scan the container and gives  the file a "clean" 
rating.

I may release further details after all known vulnerable vendors have 
patched their engines.


III. Impact
----------------------------
Impacts depends on the contextual use of the product and engine within 
the organisation of a customer. Gateway Products (Email, HTTP Proxy etc) 
may allow the file through unscanned and give it a clean bill of health. 
Server side AV software will not be able to discover any code or sample 
contained within this ISO file and it will not raise suspicion even  if 
you know exactly what you are looking for (Which is for example great to 
hide your implants or Exfiltration/Pivot Server).

There is a lot more to be said about this bug class, so rather than bore 
you with it in
this advisory I provide a link to my 2009 blog post
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

IV. Patch / Advisory
----------------------------
11.10.2019 - Submission
24.02.2020 - Confirmation by Avast that these have been patched.
"The fix was released in virus definitions 200114-0 (except for very old 
program versions 5.x - 11.x where it hasn't been released yet).
So any program (version 12 and newer) with up-to-date virus definitions 
has the updated unpacker."