Re: [Full-Disclosure] Symantec AntiVirus and AOL
From: Maxim S. Shatskih (maxim_at_STORAGECRAFT.COM)
Date: Sun, 26 Oct 2003 20:14:12 +0300 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
>anyone has experience with device drivers then am I right that once a vendors
>evice driver sets the NCD_VIRTUAL bit then they have done their duty as far as
>re a fake adapter? Is the burden then on Symantec to check the flags of
adapters they are
Regardless of all this stuff, I expect the Windows app to use rpcrt4!UuidCreate
or ole32!CoCreateGuid to generate GUIDs. If Symantec's antivirus violates this
rule - then this looks suspiciously by itself.
For instance, these routines encrypt GUIDs in a way that the original MAC
address is not distinguishable. If Symantec uses the MAC addresses literally in
the GUIDs - then this is a privacy leak at least.
Using the MAC address of the virtual adapter (on the upper egde of some MUX IM)
is just funny, since it is emulated in the machine code which responds to OID
query, and can be emulated, for instance, by repeating the MAC address of the
one of the underlying adapters.
Maxim Shatskih, Windows DDK MVP
---- NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. Prove to your employer and peers that you have the knowledge and abilities to be an active stakeholder in today's enterprise security. Become TICSA certified www.trusecure.com/ticsa. Promotion expires 12/31/03 and cannot be used in combination with other offers. ----