Multiple AntiVirus Reserved Device Name Handling Vulnerability

• Previous message: vallez_at_gmail.com: "avoiding stackguard"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 19 Oct 2004 08:29:53 +0800
To: bugtraq@securityfocus.com

Multiple AntiVirus Reserved Device Name Handling Vulnerability

Author:Sowhat
Date:October,9th,2004
http://secway.org/Advisory/Ad20041009.txt

Vendor:

AntiVir
www.hbedv.com

Twister
www.filseclab.com

Protector plus 2000
www.pspl.com

Overview:

As many popular AV's "Reserved Device Name Handling Vulnerability"
were reported,
i have tested this well known bugz with some others for fun :)
There are still 3 leaving for me ,tested with the lastest or the most
popular version.

Descritption:

Exploitation of this design vulnerability in these AntiVirus products
could allow malicious code to evade detection.

The problem is that during the automatic and manual scans,these Avs
dont consistently scan the files and directories named as reserved
MS-DOS devices,
such as AUX, CON, PRN, COM1 and LPT1 etc.
When these Avs scan the files and folders named with Reserved Device Name,
they will fail to detect and report the malicious code,then they can
avoid detection.

This vulnerablity is most exactly as the Symantec's
so,if you want to see more information ,
just google "Symantec Security Advisory SYM04-015" || "iDEFENSE
Security Advisory 10.05.04b"

WorkAround:

Delelte all the files and folders named with Reserved Device Name.

Vendor Status:

I have contacted all 3 vendors,only Twister replied and they will
fixed it in the
next release.

CREDIT:
Sowhat 0f the ITS Security Research Team
Sowhat[0x40]secway[0x2e]org

• Previous message: vallez_at_gmail.com: "avoiding stackguard"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]