Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Mutiple AntiVirus Reserved Device Name Handling Vulnerability
From: "Sowhat ." <smaillist () gmail com>
Date: Mon, 18 Oct 2004 21:35:05 +0800

Mutiple AntiVirus Reserved Device Name Handling Vulnerability

Author:Sowhat
Date:October,9th,2004
http://secway.org/Advisory/Ad20041009.txt

Vendor:

AntiVir
www.hbedv.com

Twister
www.filseclab.com

Protector plus 2000
www.pspl.com

Overview:

As many popular AV's "Reserved Device Name Handling Vulnerability"
were reported,
i have tested this well known bugz with some others for fun :)
There are still 3 leaving for me ,tested with the lastest or the most
popular version.

Descritption:

Exploitation of this design vulnerability in these AntiVirus products 
could allow malicious code to evade detection.

The problem is that during the automatic and manual scans,these Avs 
dont consistently scan the files and directories named as reserved
MS-DOS devices,
such as AUX, CON, PRN, COM1 and LPT1 etc.
When these Avs scan the files and folders named with Reserved Device Name,
they will fail to detect and report the malicious code,then they can
avoid detection.

This vulnerablity is exactly as the Symantec's
so,if you want to see more information ,
just google "Symantec Security Advisory SYM04-015" || "iDEFENSE
Security Advisory 10.05.04b"


WorkAround:

Delelte all the files and folders named with Reserved Device Name.

Vendor Status:

I have contacted all 3 vendors,only Twister replied and they will
fixed it in the
next release.


CREDIT:
Sowhat 0f the ITS Security Research Team
Sowhat[0x40]secway[0x2e]org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • Mutiple AntiVirus Reserved Device Name Handling Vulnerability Sowhat . (Oct 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault