RE: Long path exploit on NTFS

From: Leif Sawyer (lsawyer@gci.com)
Date: 01/30/02 

From: Leif Sawyer <lsawyer@gci.com>
To: hans.somers@nl.abnamro.com, bugtraq@securityfocus.com
Date: Wed, 30 Jan 2002 08:42:22 -0900

hans.somers wrote:
> I have tested this on the following platforms:
> Windows NT 4.0 SP4
> Windows NT 4.0 SP6a
> Windows 2000 Professional SP2
> Windows XP Pro
> I have determined that the following versions of Norton
> AntiVirus will not follow the deep path during a complete scan:
> Norton AntiVirus 5.0
> Norton AntiVirus 7.5.1
> Norton Antivirus 8.00.58
>

I Changed your script to make it a bit easier to see which path was
triggering
the EICAR alert, i.e.:
        md Q:\abcdefghij\abcdefghij\abcdefghij
        cd Q:\abcdefghij\abcdefghij\abcdefghij

Start test-script NTFS-limit
Create a filepath to the limit of NTFS
Create the Eicar test-string for PoC.
This should be detected normally if you have an active virusscanner.
Activate the Eicar test-string
Create a subst-drive Q: for this path
Create an even deeper filepath (thus exceeding the limit of NTFS's explorer)
Change current folder into "the deep"
The system cannot find the path specified.
Create the Eicar test-string
Activate the Eicar test-string
EICAR-STANDARD-ANTIVIRUS-TEST-FILE!.
End of test-script
Q:\ABCDEF~1\ABCDEF~1\ABCDEF~1>

Since i don't see any letters in the file/location info below, it seems that
we can
Chalk up Norton Antivirus Corporate 7.60.926 as being unable to follow the
long path.

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: EICAR Test String.70
File:
C:\TEMP\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12
34567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1
234567890\1234567890\1234567890\1234567890\1234567890\1234567890\123456789\E
ICAR.TXT
Location:
C:\TEMP\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12
34567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1
234567890\1234567890\1234567890\1234567890\1234567890\1234567890\123456789
Computer: MY_PUTER
User: Employee
Action taken: Clean succeeded : Access allowed
Date found: Wed Jan 30 08:30:54 2002

Relevant Pages

  • Re: Windows XP upgrade...virus?
    ... Got rid of norton antivirus finally. ... Did a virus scan. ... Reinstalled Windows. ... >> When I try to install most everything, I get a Windows Installer ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: I Have a weird Virus?
    ... SpyBot and Norton AntiVirus to get rid of ... If you did not click on that it would bring up an old school windows warning ... Virus" if you clicked ... I ran windows defender, Norton anti virus, AD-Aware, and spy bot search and ...
    (microsoft.public.windowsxp.security_admin)
  • windows file protection
    ... FILE THAT ARE REQUIRED FOR WINDOWS TO RUN PROPERLY HAVE ... NORTON ANTIVIRUS, said that this is not a virus related. ... I have hundreds of Norton antivirus alert that said: ...
    (microsoft.public.security)
  • Re: SP2 and problems that go along with it
    ... regarding your Norton Antivirus ... ... they do NOT intend to fix this as it would make it easier for virus writers. ... "SP2 and problems that go along with it" ... > when i restarted the PC, my pc froz in the Windows Boot ...
    (microsoft.public.windowsxp.general)
  • Please help get rid of virus
    ... I have recently installed the windows xp on ... my home computer. ... having problems with a virus, ... have Norton Antivirus 2005 on the computer, ...
    (microsoft.public.windowsxp.help_and_support)