RE: Long path exploit on NTFS

From: David Korn (dkorn@pixelpower.com)
Date: 02/07/02


From: David Korn <dkorn@pixelpower.com>
To: "Bugtraq (E-mail)" <bugtraq@securityfocus.com>
Date: Thu, 7 Feb 2002 11:25:48 -0000 


>-----Original Message-----
>From: David Sexton [mailto:dave.sexton@sapphire.net]
>Sent: 05 February 2002 09:14
>To: 'fh@rcs.urz.tu-dresden.de'; bugtraq@securityfocus.com;
>hans.somers@hccnet.nl
>Subject: RE: Long path exploit on NTFS
>
>
>Err.. I beg to differ:
>
>SWEEP virus detection utility
>Version 3.54, Monday, February 04, 2002

<delurk>

  I notice you're using 3.54 rather than 3.53, so I've confirmed the same
result for 3.53 (Release data 7 Jan 02, engine v2.7), using the batch file
posted here earlier (although I changed the subst drive letter from Q to Z
because I already had a Q drive). It would be interesting if Frank could
describe the methodology he used, as the phrase "According to my own tests"
suggests he was not using the same script.

  The machine in question has NT4 SP6, in case anyone was wondering whether
that was what caused the difference between David's results and Frank's.

SWEEP virus detection utility
Version 3.53, 07 January 2002
Includes detection for 71212 viruses, trojans and worms
Copyright 1989, 2001, Sophos Plc, www.sophos.com

Info: Immediate job started by [REDACTED] at 11:14 on 07 February 2002

Items to be swept:
        "All Master Boot Sectors"
        Drive C: Sector 0
        C:\temp\*.* and all subfolders

Scanning options:
        Full mode,
        including archive files,
        excluding off-line files

Sweeping:
        Disk 80 Cylinder 0 Head 0 Sector 1
        Drive C: Sector 0
        
C:\TEMP\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12
34567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1
234567890\1234567890\1234567890\1234567890\1234567890\1234567890\123456789\1
234567890...\EICAR.TXT
Virus: 'EICAR-AV-Test' detected in
C:\TEMP\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\12345
6~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\
123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\EICAR.TXT
        No action taken

        
C:\TEMP\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12
34567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1
234567890\1234567890\1234567890\1234567890\1234567890\1234567890\123456789\1
234567890...\EICAR2.COM
Virus: 'EICAR-AV-Test' detected in
C:\TEMP\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\12345
6~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\
123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\EICAR2.COM
        No action taken

        C:\TEMP\trb95.tmp
        C:\TEMP\cw50temp.000
        C:\TEMP\~DFC3C0.tmp
        C:\TEMP\trb53E.tmp
        C:\TEMP\trb540.tmp
        C:\TEMP\trb542.tmp
        C:\TEMP\trb821.tmp
        C:\TEMP\~DFC3C1.tmp
Info: Immediate job completed at 11:14 on 07 February 2002
        12 items swept, 2 viruses detected, 0 errors

         DaveK

-- 
Burn your ID card!  http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!

********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager.

This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com **********************************************************************