[TZO-15-2009] Aladdin eSafe generic bypass - Forced release

[Thierry Zoller <Thierry () Zoller lu>]

______________________________________________________________________

  From the low-hanging-fruit-department - Aladdin eSafe bypass/evasion
______________________________________________________________________

Release mode: Forced relaese, vendor has not replied.
Ref         : TZO-152009 - Aladdin eSafe Generic Evasion 
WWW         : http://blog.zoller.lu/2009/04/aladdin-esafe-generic-evasion-bypass.html
Status      : Not patched
Vendor      : http://www.aladdin.com
Security notification reaction rating : Catastrophic
(vendor visited specific url at my website but has not reacted)

Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

If   you  wonder  the  about  the  reasons behind such forced releases please
visit:
http://blog.zoller.lu/2009/04/dear-thierry-why-are-you-such-arrogant.html

Affected products : 
- t.b.a (Vendor has not reacted, please see below)
- probably all versions including gateway solutions

As this bug has not been reproduced by the vendor, this limited advisory 
relies on the assumption that my tests were conclusive and that the test
environment mimics the production environment.

I. Background
~~~~~~~~~~~~~
Quote: "Aladdin is dedicated to being the leading provider of security 
services and solutions used to protect digital assets, enable secure 
business, and maximize the benefits from creating, selling, 
distributing and using digital content."


II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
archive file. Details are currently witheld due to other vendors that are 
in process of deploying patches.

A professional reaction to a vulnerability notification is a way to 
measure the maturity of a vendor in terms of security. Aladdin is given 
a grace period of two (2) weeks to reply to my notification. Failure 
to do so will result in POC being released in two (2) weeks. 

Aladdin is advised to leave a specific security contact
at [1] in order to simplify getting in contact with them.

As this bug has not been reproduced by the vendor, this limited advisory 
relies on the assumption that my tests were conclusive.

III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at : 
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect
code within the archive. There is no inspection of the content
at all.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
04/04/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date. There is
             no security adress listed at [1] and hence took previously
             known security contacts that are known to exist.
                         
                         No reply.
                         
13/04/2009 : Resending. Copied security () aladdin de, security () aladdin com
             secure () aladdin com, secure () aladdin de,support () aladdin com,
             support () aladdin de in CC.
                         
             No reply.
                         
16/04/2009 : Resending specifying this is the last attempt to disclose
             reponsibly.
                                                
             No reply.
                         
18/04/2009 : Online virus scan service offered to gap the bridge between
             vendors that don't reply and myself. Aladin was contacted 
             through third party.

             No reaction

19/04/2009 : Aladdin visited the blog entry that explains the bypasses
             and impacts. http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html 
                         
             No reaction
                         
27/04/2009 : Release of this limited advisory.                   


[1] http://osvdb.org/vendor/1/Aladdin%20Knowledge%20Systems