Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability
Date: Wed, 6 Oct 2004 15:03:12 +0400

Dear idlabs-advisories () idefense com,

This  vuilnerability  for  Symantec  was  reported  in February, 2003 by
3APA3A (for Kaspersky Antivirus)


and  by James C Slora Jr for Symantec (with a copy to Bugtraq moderator,
his message was published by SECURITY.NNOV)


This  issue  was  reported  to Symantec, but official reply was received
from Symantec their antiviral products are not vulnerable (it's signed):


I think credits on this issue discovery must be granted to James C Slora
Jr (Jim.Slora at phra.com).

--Tuesday, October 5, 2004, 8:36:22 PM, you wrote to idlabs-advisories () idefense com:

iaic> Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability

iaic> iDEFENSE Security Advisory 10.05.04b:
iaic> www.idefense.com/application/poi/display?id=147&type=vulnerabilities
iaic> October 5, 2004


iaic> Symantec's Norton AntiVirus protects email, instant messages, and other
iaic> files by automatically removing viruses, worms, and Trojan horses. More
iaic> information about the product is available from http://www.symantec.com


iaic> Remote exploitation of design vulnerability in Symantec's Norton
iaic> AntiVirus allows malicious code to evade detection.

iaic> The problem specifically exists in attempts to scan files and
iaic> directories named as reserved MS-DOS devices. Reserved MS-DOS device
iaic> names are a hold over from the original days of Microsoft DOS. The
iaic> reserved MS-DOS device names represent devices such as the first printer
iaic> port (LPT1) and the first serial communication port (COM1). Sample
iaic> reserved MS-DOS device names include AUX, CON, PRN, COM1 and LPT1. If a
iaic> virus stores itself in a reserved device name it can avoid detection by
iaic> Symantec Norton AntiVirus when the system is scanned. Symantec Norton
iaic> AntiVirus will scan the files and folders containing the virus and fail
iaic> to detect or report them. reserved device names can be creating with
iaic> standard Windows utilities by specifying the full Universal Naming
iaic> Convention (UNC) path. The following command will successfully copy a
iaic> file to the reserved device name 'aux' on the C:\ drive:

iaic>     copy source \\.\C:\aux


iaic> Exploitation allows attackers to evade detection of malicious code.
iaic> Attackers can unpack or decode an otherwise detected malicious payload
iaic> in a stealth manner.


iaic> iDEFENSE has confirmed the existence of this vulnerability in the latest
iaic> version of Norton AntiVirus. It is reported that earlier versions crash
iaic> upon parsing files or directories using reserved MS-DOS device names.


iaic> Ensure that no local files or directories using reserved MS-DOS device
iaic> names exist. On most modern Windows systems there should be no reserved
iaic> MS-DOS device names present. While the Windows search utility can be
iaic> used to locate offending files and directories, either a seperate tool
iaic> or the specification of Universal Naming Convention (UNC) must be used
iaic> to remote them. The following command will successfully remove a file
iaic> stored on the C:\ drive named 'aux':

iaic>     del \\.\C:\aux


iaic> "Symantec engineers have developed a fix for this issue for Symantec
iaic> Norton AntiVirus 2004 that is currently available through LiveUpdate.
iaic> The fix is being incorporated into all other supported Symantec Norton
iaic> AntiVirus versions and will be available through LiveUpdate when fully
iaic> tested and released."

iaic> More information is available in Symantec Security Advisory SYM04-015.


iaic> The Common Vulnerabilities and Exposures (CVE) project has assigned the
iaic> names CAN-2004-0920 to these issues. This is a candidate for inclusion
iaic> in the CVE list (http://cve.mitre.org), which standardizes names for
iaic> security problems.


iaic> 05/12/2004   Vulnerability acquired by iDEFENSE
iaic> 06/25/2004   iDEFENSE clients notified
iaic> 06/29/2004   Initial vendor notification
iaic> 06/30/2004   Initial vendor response
iaic> 10/05/2004   Coordinated public disclosure

iaic> IX. CREDIT

iaic> Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.

iaic> Get paid for vulnerability research
iaic> http://www.idefense.com/poi/teams/vcp.jsp


iaic> Copyright (c) 2004 iDEFENSE, Inc.

iaic> Permission is granted for the redistribution of this alert
iaic> electronically. It may not be edited in any way without the express
iaic> written consent of iDEFENSE. If you wish to reprint the whole or any
iaic> part of this alert in any other medium other than electronically, please
iaic> email customerservice () idefense com for permission.

iaic> Disclaimer: The information in the advisory is believed to be accurate
iaic> at the time of publishing based on currently available information. Use
iaic> of the information constitutes acceptance for use in an AS IS condition.
iaic> There are no warranties with regard to this information. Neither the
iaic> author nor the publisher accepts any liability for any direct, indirect,
iaic> or consequential loss or damage arising from use of, or reliance on,
iaic> this information.

iaic> _______________________________________________
iaic> Full-Disclosure - We believe in it.
iaic> Charter: http://lists.netsys.com/full-disclosure-charter.html

В расчетах была ошибка.  (Лем)

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]