Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: when will AV vendors fix this???
From: "Bipin Gautam" <gautam.bipin () gmail com>
Date: Tue, 8 Aug 2006 07:54:13 +0545

This is similar to the problem of alternative data streams.
Essentially, the work needed to solve this problem isn't worth the
expenditure of time and effort, because the file, in order to infect the
system, has to be executed.  Once the file is executed "normal"
on-access scanning will catch the exploit *if* it is known.  (If it's
unknown, it doesn't matter anyway.)  Yes, on-demand scanning won't "see"
the file, but even malicious files are benign until they are run.

i still insist, it might be a minor glitch to NOT ALLOW even admins to
access a private file directly, but it isn't an issue with windows at
I thought the the files should be accessed via "SeTcbPrivilege" BUT it
doesn't. )O;

but hey, most of  "the file undelete utilities" already do this.....
if you try reading/copying a EXISTING file (via sys admin privilage)
using (say Restorer2000 Demo) it effectively bypasses file permission
regardless if it...... & can read the file! there must be another
undocumented? API doing this???

another note, even WINDOWS ONECAIR is pron to this bug.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]