mailing list archives
Re: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Wed, 6 Oct 2004 15:03:12 +0400
Dear idlabs-advisories () idefense com,
This vuilnerability for Symantec was reported in February, 2003 by
3APA3A (for Kaspersky Antivirus)
and by James C Slora Jr for Symantec (with a copy to Bugtraq moderator,
his message was published by SECURITY.NNOV)
This issue was reported to Symantec, but official reply was received
from Symantec their antiviral products are not vulnerable (it's signed):
I think credits on this issue discovery must be granted to James C Slora
Jr (Jim.Slora at phra.com).
--Tuesday, October 5, 2004, 8:36:22 PM, you wrote to idlabs-advisories () idefense com:
iaic> Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability
iaic> iDEFENSE Security Advisory 10.05.04b:
iaic> October 5, 2004
iaic> I. BACKGROUND
iaic> Symantec's Norton AntiVirus protects email, instant messages, and other
iaic> files by automatically removing viruses, worms, and Trojan horses. More
iaic> information about the product is available from http://www.symantec.com
iaic> II. DESCRIPTION
iaic> Remote exploitation of design vulnerability in Symantec's Norton
iaic> AntiVirus allows malicious code to evade detection.
iaic> The problem specifically exists in attempts to scan files and
iaic> directories named as reserved MS-DOS devices. Reserved MS-DOS device
iaic> names are a hold over from the original days of Microsoft DOS. The
iaic> reserved MS-DOS device names represent devices such as the first printer
iaic> port (LPT1) and the first serial communication port (COM1). Sample
iaic> reserved MS-DOS device names include AUX, CON, PRN, COM1 and LPT1. If a
iaic> virus stores itself in a reserved device name it can avoid detection by
iaic> Symantec Norton AntiVirus when the system is scanned. Symantec Norton
iaic> AntiVirus will scan the files and folders containing the virus and fail
iaic> to detect or report them. reserved device names can be creating with
iaic> standard Windows utilities by specifying the full Universal Naming
iaic> Convention (UNC) path. The following command will successfully copy a
iaic> file to the reserved device name 'aux' on the C:\ drive:
iaic> copy source \\.\C:\aux
iaic> III. ANALYSIS
iaic> Exploitation allows attackers to evade detection of malicious code.
iaic> Attackers can unpack or decode an otherwise detected malicious payload
iaic> in a stealth manner.
iaic> IV. DETECTION
iaic> iDEFENSE has confirmed the existence of this vulnerability in the latest
iaic> version of Norton AntiVirus. It is reported that earlier versions crash
iaic> upon parsing files or directories using reserved MS-DOS device names.
iaic> V. WORKAROUND
iaic> Ensure that no local files or directories using reserved MS-DOS device
iaic> names exist. On most modern Windows systems there should be no reserved
iaic> MS-DOS device names present. While the Windows search utility can be
iaic> used to locate offending files and directories, either a seperate tool
iaic> or the specification of Universal Naming Convention (UNC) must be used
iaic> to remote them. The following command will successfully remove a file
iaic> stored on the C:\ drive named 'aux':
iaic> del \\.\C:\aux
iaic> VI. VENDOR RESPONSE
iaic> "Symantec engineers have developed a fix for this issue for Symantec
iaic> Norton AntiVirus 2004 that is currently available through LiveUpdate.
iaic> The fix is being incorporated into all other supported Symantec Norton
iaic> AntiVirus versions and will be available through LiveUpdate when fully
iaic> tested and released."
iaic> More information is available in Symantec Security Advisory SYM04-015.
iaic> VII. CVE INFORMATION
iaic> The Common Vulnerabilities and Exposures (CVE) project has assigned the
iaic> names CAN-2004-0920 to these issues. This is a candidate for inclusion
iaic> in the CVE list (http://cve.mitre.org), which standardizes names for
iaic> security problems.
iaic> VIII. DISCLOSURE TIMELINE
iaic> 05/12/2004 Vulnerability acquired by iDEFENSE
iaic> 06/25/2004 iDEFENSE clients notified
iaic> 06/29/2004 Initial vendor notification
iaic> 06/30/2004 Initial vendor response
iaic> 10/05/2004 Coordinated public disclosure
iaic> IX. CREDIT
iaic> Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.
iaic> Get paid for vulnerability research
iaic> X. LEGAL NOTICES
iaic> Copyright (c) 2004 iDEFENSE, Inc.
iaic> Permission is granted for the redistribution of this alert
iaic> electronically. It may not be edited in any way without the express
iaic> written consent of iDEFENSE. If you wish to reprint the whole or any
iaic> part of this alert in any other medium other than electronically, please
iaic> email customerservice () idefense com for permission.
iaic> Disclaimer: The information in the advisory is believed to be accurate
iaic> at the time of publishing based on currently available information. Use
iaic> of the information constitutes acceptance for use in an AS IS condition.
iaic> There are no warranties with regard to this information. Neither the
iaic> author nor the publisher accepts any liability for any direct, indirect,
iaic> or consequential loss or damage arising from use of, or reliance on,
iaic> this information.
iaic> Full-Disclosure - We believe in it.
iaic> Charter: http://lists.netsys.com/full-disclosure-charter.html
В расчетах была ошибка. (Лем)
Full-Disclosure - We believe in it.