Symantec generic PDF detection bypass

                                                ________________________________________________________________________

             Symantec multiple products - Generic PDF bypass
________________________________________________________________________

***********************************************************************
Cheap plug :
Speaking of PDF - If you are interested in client-side vulnerabilities
visit HACK.LU starting tomorrow [28-30 Oct] with :

Workshop:
* Bypassing the Perimeter: Client Side Exploitation - Nitesh Dhanjani, 
                                                      Billy K Rios
Talks :
* New advances in Office Malware analysis - Frank Boldewin
* PDF Penetration Document Format - Didier Stevens
* Ownage 2.0 - Saumil Shah (who else)
* Malicious PDF origamis strike back - Guillaume Delugré
                                       Frederic Raynal
***********************************************************************

Release mode: Coordinated
Reference   : [GSEC-47-2009] - Symantec generic PDF bypass
WWW         : http://www.g-sec.lu/symantec-pdf-bypass.html
Vendor      : http://www.symantec.com
Status      : Patched
CVE         : none attributed yet
Credit      : http://tinyurl.com/ygqnlhs
Discovered by : Thierry Zoller (G-SEC)


Affected products : 
~~~~~~~~~~~~~~~~~~~
- Symantec Mail Security for Domino
- Symantec Mail Security for Microsoft Exchange
- Symantec Mail Security for SMTP
- Symantec Brightmail Gateway
- Symantec AntiVirus for Network Attached Storage
- Symantec AntiVirus for Caching
- Symantec AntiVirus for Messaging
- Symantec Protection for SharePoint Servers
- Symantec Protection Suite
- Symantec Scan Engine
- Symantec Client Security
- Symantec Endpoint Protection
- Symantec AntiVirus Corporate Edition
- Norton Internet Security
- Norton 360
- Norton AntiVirus
- Norton Systemworks

Patch availability :
~~~~~~~~~~~~~~~~~~~~
Patches distributed through automatic updates

I. Background
~~~~~~~~~~~~~
Quote: "Symantec helps consumers and organizations secure and 
manage their information-driven world. Our software and services 
protect against more risks at more points, more completely and 
efficiently, enabling confidence wherever information is used or stored."

II. Description
~~~~~~~~~~~~~~~
Improper parsing of the PDF structure leads to evasion of detection of 
malicious PDF documents at scantime and runtime.
  
This has been tested with several malicious PDF files and represents
a generic evasion of all PDF signatures and heuristics.

General information about evasion/bypasses can be found at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

III. Impact
~~~~~~~~~~~
Known PDF exploits/malware may evade signature and heuristic detection, 0day exploits
may evade heuristics.

IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD.MM.YYYY
01.06.2009 - Reported 
12.06.2009 - "This will be posted to our Symantec Product Security Advisory page
             though we are not identifying these issues as vulnerabilities, it's just
             the best method to disseminate this type of product information"
< waiting for others to patch >
27.10.2009 - G-SEC releases this advisory

About G-SEC
~~~~~~~~~~~
G-SEC™  is  a  vendor independent luxemburgish led IT security consulting
group. More information available at : http://www.g-sec.lu/