Re: [Full-Disclosure] iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability

[3APA3A <3APA3A@xxxxxxxxxxxxxxxx>]

Dear idlabs-advisories@xxxxxxxxxxxx,

This  vuilnerability  for  Symantec  was  reported  in February, 2003 by
3APA3A (for Kaspersky Antivirus)

http://www.security.nnov.ru/search/document.asp?docid=4061

and  by James C Slora Jr for Symantec (with a copy to Bugtraq moderator,
his message was published by SECURITY.NNOV)

http://www.security.nnov.ru/search/document.asp?docid=4081

This  issue  was  reported  to Symantec, but official reply was received
from Symantec their antiviral products are not vulnerable (it's signed):

http://www.security.nnov.ru/search/document.asp?docid=4208


I think credits on this issue discovery must be granted to James C Slora
Jr (Jim.Slora at phra.com).

--Tuesday, October 5, 2004, 8:36:22 PM, you wrote to 
idlabs-advisories@xxxxxxxxxxxx:

iaic> Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability

iaic> iDEFENSE Security Advisory 10.05.04b:
iaic> www.idefense.com/application/poi/display?id=147&type=vulnerabilities
iaic> October 5, 2004

iaic> I. BACKGROUND

iaic> Symantec's Norton AntiVirus protects email, instant messages, and other
iaic> files by automatically removing viruses, worms, and Trojan horses. More
iaic> information about the product is available from http://www.symantec.com

iaic> II. DESCRIPTION

iaic> Remote exploitation of design vulnerability in Symantec's Norton
iaic> AntiVirus allows malicious code to evade detection.

iaic> The problem specifically exists in attempts to scan files and
iaic> directories named as reserved MS-DOS devices. Reserved MS-DOS device
iaic> names are a hold over from the original days of Microsoft DOS. The
iaic> reserved MS-DOS device names represent devices such as the first printer
iaic> port (LPT1) and the first serial communication port (COM1). Sample
iaic> reserved MS-DOS device names include AUX, CON, PRN, COM1 and LPT1. If a
iaic> virus stores itself in a reserved device name it can avoid detection by
iaic> Symantec Norton AntiVirus when the system is scanned. Symantec Norton
iaic> AntiVirus will scan the files and folders containing the virus and fail
iaic> to detect or report them. reserved device names can be creating with
iaic> standard Windows utilities by specifying the full Universal Naming
iaic> Convention (UNC) path. The following command will successfully copy a
iaic> file to the reserved device name 'aux' on the C:\ drive:

iaic>     copy source \\.\C:\aux

iaic> III. ANALYSIS

iaic> Exploitation allows attackers to evade detection of malicious code.
iaic> Attackers can unpack or decode an otherwise detected malicious payload
iaic> in a stealth manner.

iaic> IV. DETECTION

iaic> iDEFENSE has confirmed the existence of this vulnerability in the latest
iaic> version of Norton AntiVirus. It is reported that earlier versions crash
iaic> upon parsing files or directories using reserved MS-DOS device names.

iaic> V. WORKAROUND

iaic> Ensure that no local files or directories using reserved MS-DOS device
iaic> names exist. On most modern Windows systems there should be no reserved
iaic> MS-DOS device names present. While the Windows search utility can be
iaic> used to locate offending files and directories, either a seperate tool
iaic> or the specification of Universal Naming Convention (UNC) must be used
iaic> to remote them. The following command will successfully remove a file
iaic> stored on the C:\ drive named 'aux':

iaic>     del \\.\C:\aux

iaic> VI. VENDOR RESPONSE

iaic> "Symantec engineers have developed a fix for this issue for Symantec
iaic> Norton AntiVirus 2004 that is currently available through LiveUpdate.
iaic> The fix is being incorporated into all other supported Symantec Norton
iaic> AntiVirus versions and will be available through LiveUpdate when fully
iaic> tested and released."

iaic> More information is available in Symantec Security Advisory SYM04-015.

iaic> VII. CVE INFORMATION

iaic> The Common Vulnerabilities and Exposures (CVE) project has assigned the
iaic> names CAN-2004-0920 to these issues. This is a candidate for inclusion
iaic> in the CVE list (http://cve.mitre.org), which standardizes names for
iaic> security problems.

iaic> VIII. DISCLOSURE TIMELINE

iaic> 05/12/2004   Vulnerability acquired by iDEFENSE
iaic> 06/25/2004   iDEFENSE clients notified
iaic> 06/29/2004   Initial vendor notification
iaic> 06/30/2004   Initial vendor response
iaic> 10/05/2004   Coordinated public disclosure

iaic> IX. CREDIT

iaic> Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.

iaic> Get paid for vulnerability research
iaic> http://www.idefense.com/poi/teams/vcp.jsp

iaic> X. LEGAL NOTICES

iaic> Copyright (c) 2004 iDEFENSE, Inc.

iaic> Permission is granted for the redistribution of this alert
iaic> electronically. It may not be edited in any way without the express
iaic> written consent of iDEFENSE. If you wish to reprint the whole or any
iaic> part of this alert in any other medium other than electronically, please
iaic> email customerservice@xxxxxxxxxxxx for permission.

iaic> Disclaimer: The information in the advisory is believed to be accurate
iaic> at the time of publishing based on currently available information. Use
iaic> of the information constitutes acceptance for use in an AS IS condition.
iaic> There are no warranties with regard to this information. Neither the
iaic> author nor the publisher accepts any liability for any direct, indirect,
iaic> or consequential loss or damage arising from use of, or reliance on,
iaic> this information.

iaic> _______________________________________________
iaic> Full-Disclosure - We believe in it.
iaic> Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
~/ZARAZA
В расчетах была ошибка.  (Лем)