--/	INTRODUCTION  --

Advisory	: 05_07_14-bitdefender_malicious_content_bypass
Release Date	: 14. July 2005
Application	: BitDefender Antivirus
Impact		: Malicious content bypass
Author		: Alexander 'xaitax' Hagenah [ah at primepage dot de]


--/	SYSTEMS AFFECTED  --

BitDefender running on Linux/BSD
* Engine 1.6.1 and prior


--/	VENDOR  --

Informed	: 04. July 2005
Response	: 05. July 2005
Patched		: 13. July 2005


--/	ABOUT  --

BitDefender Antivirus & Antispam for Linux and FreeBSD Mail Servers

The BitDefender solutions for Mail Servers running on Linux and FreeBSD
platforms provide content security at the gateway level, by scanning 
all the inbound and outbound e-mail traffic for malware and spam.


--/	SUMMARY  --

The BitDefender-Mail Server Scan-Engine is vulnerable against a simple
attachment `attack'.
A Scan-Engine normally splits a mail into header, body and attachments.
So the Scan-Engine is easily able to scan all the attachments in it's
origin format.
If there is more than one element, it simply jumps to the following and
does it's job again.
Not this one - in this engine only the first element is counted and
scanned. If there is more than one attachment, the following ones are
ignored. So you could simply add somewhere into the mail the following
lines:

.--
| begin
| end
`--

Now the engine expect this to be the first attachment and stops
scanning the mail. So there is no problem to add an attachment with
malicious content which will be ignored by the BitDefender scanner.

This only depends to UUencoded mails. For more information about
UUencode take a look at http://en.wikipedia.org/wiki/Uuencode.


--/	REPRODUCE  --

If the engine is somewhere productive running, you can test it - maybe
with EICAR as attachment - and put into the body the begin/end content.
If not, there is a evaluation version to download on the
bitdefender-page.


--/	PATCH  --

The patch is automatically downloaded by the bitdefender update engine.
It works with all versions, because all updates are transferred into
Plugins/ directory.


--/	CONTACT  --

This advisory is provided by:

- ( x a i t a x - s e c u r i t y ) -
http://xaitax.de | ah at primepage dot de

top concepts Internetmarketing GmbH
http://topconcepts.de | hagenah at topconcepts dot de