Re: [Full-Disclosure] iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability

From: 3APA3A (3APA3A_at_SECURITY.NNOV.RU)
Date: 10/06/04

  • Next message: Len Sassaman: "CodeCon 2005 Call for Papers" 
    Date: Wed, 6 Oct 2004 14:42:57 +0400
To: idlabs-advisories@idefense.com

    Dear idlabs-advisories@idefense.com,

    This vuilnerability for Symantec was reported in February, 2003 by
    3APA3A (for Kaspersky Antivirus)

    http://www.security.nnov.ru/search/document.asp?docid=4061

    and by James C Slora Jr for Symantec (with a copy to Bugtraq moderator,
    his message was published by SECURITY.NNOV)

    http://www.security.nnov.ru/search/document.asp?docid=4081

    This issue was reported to Symantec, but official reply was received
    from Symantec their antiviral products are not vulnerable (it's signed):

    http://www.security.nnov.ru/search/document.asp?docid=4208

    I think credits on this issue discovery must be granted to James C Slora
    Jr (Jim.Slora at phra.com).

    --Tuesday, October 5, 2004, 8:36:22 PM, you wrote to idlabs-advisories@idefense.com:

    iaic> Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability

    iaic> iDEFENSE Security Advisory 10.05.04b:
    iaic> www.idefense.com/application/poi/display?id=147&type=vulnerabilities
    iaic> October 5, 2004

    iaic> I. BACKGROUND

    iaic> Symantec's Norton AntiVirus protects email, instant messages, and other
    iaic> files by automatically removing viruses, worms, and Trojan horses. More
    iaic> information about the product is available from http://www.symantec.com

    iaic> II. DESCRIPTION

    iaic> Remote exploitation of design vulnerability in Symantec's Norton
    iaic> AntiVirus allows malicious code to evade detection.

    iaic> The problem specifically exists in attempts to scan files and
    iaic> directories named as reserved MS-DOS devices. Reserved MS-DOS device
    iaic> names are a hold over from the original days of Microsoft DOS. The
    iaic> reserved MS-DOS device names represent devices such as the first printer
    iaic> port (LPT1) and the first serial communication port (COM1). Sample
    iaic> reserved MS-DOS device names include AUX, CON, PRN, COM1 and LPT1. If a
    iaic> virus stores itself in a reserved device name it can avoid detection by
    iaic> Symantec Norton AntiVirus when the system is scanned. Symantec Norton
    iaic> AntiVirus will scan the files and folders containing the virus and fail
    iaic> to detect or report them. reserved device names can be creating with
    iaic> standard Windows utilities by specifying the full Universal Naming
    iaic> Convention (UNC) path. The following command will successfully copy a
    iaic> file to the reserved device name 'aux' on the C:\ drive:

    iaic> copy source \\.\C:\aux

    iaic> III. ANALYSIS

    iaic> Exploitation allows attackers to evade detection of malicious code.
    iaic> Attackers can unpack or decode an otherwise detected malicious payload
    iaic> in a stealth manner.

    iaic> IV. DETECTION

    iaic> iDEFENSE has confirmed the existence of this vulnerability in the latest
    iaic> version of Norton AntiVirus. It is reported that earlier versions crash
    iaic> upon parsing files or directories using reserved MS-DOS device names.

    iaic> V. WORKAROUND

    iaic> Ensure that no local files or directories using reserved MS-DOS device
    iaic> names exist. On most modern Windows systems there should be no reserved
    iaic> MS-DOS device names present. While the Windows search utility can be
    iaic> used to locate offending files and directories, either a seperate tool
    iaic> or the specification of Universal Naming Convention (UNC) must be used
    iaic> to remote them. The following command will successfully remove a file
    iaic> stored on the C:\ drive named 'aux':

    iaic> del \\.\C:\aux

    iaic> VI. VENDOR RESPONSE

    iaic> "Symantec engineers have developed a fix for this issue for Symantec
    iaic> Norton AntiVirus 2004 that is currently available through LiveUpdate.
    iaic> The fix is being incorporated into all other supported Symantec Norton
    iaic> AntiVirus versions and will be available through LiveUpdate when fully
    iaic> tested and released."

    iaic> More information is available in Symantec Security Advisory SYM04-015.

    iaic> VII. CVE INFORMATION

    iaic> The Common Vulnerabilities and Exposures (CVE) project has assigned the
    iaic> names CAN-2004-0920 to these issues. This is a candidate for inclusion
    iaic> in the CVE list (http://cve.mitre.org), which standardizes names for
    iaic> security problems.

    iaic> VIII. DISCLOSURE TIMELINE

    iaic> 05/12/2004 Vulnerability acquired by iDEFENSE
    iaic> 06/25/2004 iDEFENSE clients notified
    iaic> 06/29/2004 Initial vendor notification
    iaic> 06/30/2004 Initial vendor response
    iaic> 10/05/2004 Coordinated public disclosure

    iaic> IX. CREDIT

    iaic> Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.

    iaic> Get paid for vulnerability research
    iaic> http://www.idefense.com/poi/teams/vcp.jsp

    iaic> X. LEGAL NOTICES

    iaic> Copyright (c) 2004 iDEFENSE, Inc.

    iaic> Permission is granted for the redistribution of this alert
    iaic> electronically. It may not be edited in any way without the express
    iaic> written consent of iDEFENSE. If you wish to reprint the whole or any
    iaic> part of this alert in any other medium other than electronically, please
    iaic> email customerservice@idefense.com for permission.

    iaic> Disclaimer: The information in the advisory is believed to be accurate
    iaic> at the time of publishing based on currently available information. Use
    iaic> of the information constitutes acceptance for use in an AS IS condition.
    iaic> There are no warranties with regard to this information. Neither the
    iaic> author nor the publisher accepts any liability for any direct, indirect,
    iaic> or consequential loss or damage arising from use of, or reliance on,
    iaic> this information.

    iaic> _______________________________________________
    iaic> Full-Disclosure - We believe in it.
    iaic> Charter: http://lists.netsys.com/full-disclosure-charter.html 

    -- 
~/ZARAZA
В расчетах была ошибка.  (Лем)
  • Next message: Len Sassaman: "CodeCon 2005 Call for Papers"

    Relevant Pages
    Loading