Re: [Full-Disclosure] iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability
Dear idlabs-advisories@xxxxxxxxxxxx,
This vuilnerability for Symantec was reported in February, 2003 by
3APA3A (for Kaspersky Antivirus)
http://www.security.nnov.ru/search/document.asp?docid=4061
and by James C Slora Jr for Symantec (with a copy to Bugtraq moderator,
his message was published by SECURITY.NNOV)
http://www.security.nnov.ru/search/document.asp?docid=4081
This issue was reported to Symantec, but official reply was received
from Symantec their antiviral products are not vulnerable (it's signed):
http://www.security.nnov.ru/search/document.asp?docid=4208
I think credits on this issue discovery must be granted to James C Slora
Jr (Jim.Slora at phra.com).
--Tuesday, October 5, 2004, 8:36:22 PM, you wrote to
idlabs-advisories@xxxxxxxxxxxx:
iaic> Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability
iaic> iDEFENSE Security Advisory 10.05.04b:
iaic> www.idefense.com/application/poi/display?id=147&type=vulnerabilities
iaic> October 5, 2004
iaic> I. BACKGROUND
iaic> Symantec's Norton AntiVirus protects email, instant messages, and other
iaic> files by automatically removing viruses, worms, and Trojan horses. More
iaic> information about the product is available from http://www.symantec.com
iaic> II. DESCRIPTION
iaic> Remote exploitation of design vulnerability in Symantec's Norton
iaic> AntiVirus allows malicious code to evade detection.
iaic> The problem specifically exists in attempts to scan files and
iaic> directories named as reserved MS-DOS devices. Reserved MS-DOS device
iaic> names are a hold over from the original days of Microsoft DOS. The
iaic> reserved MS-DOS device names represent devices such as the first printer
iaic> port (LPT1) and the first serial communication port (COM1). Sample
iaic> reserved MS-DOS device names include AUX, CON, PRN, COM1 and LPT1. If a
iaic> virus stores itself in a reserved device name it can avoid detection by
iaic> Symantec Norton AntiVirus when the system is scanned. Symantec Norton
iaic> AntiVirus will scan the files and folders containing the virus and fail
iaic> to detect or report them. reserved device names can be creating with
iaic> standard Windows utilities by specifying the full Universal Naming
iaic> Convention (UNC) path. The following command will successfully copy a
iaic> file to the reserved device name 'aux' on the C:\ drive:
iaic> copy source \\.\C:\aux
iaic> III. ANALYSIS
iaic> Exploitation allows attackers to evade detection of malicious code.
iaic> Attackers can unpack or decode an otherwise detected malicious payload
iaic> in a stealth manner.
iaic> IV. DETECTION
iaic> iDEFENSE has confirmed the existence of this vulnerability in the latest
iaic> version of Norton AntiVirus. It is reported that earlier versions crash
iaic> upon parsing files or directories using reserved MS-DOS device names.
iaic> V. WORKAROUND
iaic> Ensure that no local files or directories using reserved MS-DOS device
iaic> names exist. On most modern Windows systems there should be no reserved
iaic> MS-DOS device names present. While the Windows search utility can be
iaic> used to locate offending files and directories, either a seperate tool
iaic> or the specification of Universal Naming Convention (UNC) must be used
iaic> to remote them. The following command will successfully remove a file
iaic> stored on the C:\ drive named 'aux':
iaic> del \\.\C:\aux
iaic> VI. VENDOR RESPONSE
iaic> "Symantec engineers have developed a fix for this issue for Symantec
iaic> Norton AntiVirus 2004 that is currently available through LiveUpdate.
iaic> The fix is being incorporated into all other supported Symantec Norton
iaic> AntiVirus versions and will be available through LiveUpdate when fully
iaic> tested and released."
iaic> More information is available in Symantec Security Advisory SYM04-015.
iaic> VII. CVE INFORMATION
iaic> The Common Vulnerabilities and Exposures (CVE) project has assigned the
iaic> names CAN-2004-0920 to these issues. This is a candidate for inclusion
iaic> in the CVE list (http://cve.mitre.org), which standardizes names for
iaic> security problems.
iaic> VIII. DISCLOSURE TIMELINE
iaic> 05/12/2004 Vulnerability acquired by iDEFENSE
iaic> 06/25/2004 iDEFENSE clients notified
iaic> 06/29/2004 Initial vendor notification
iaic> 06/30/2004 Initial vendor response
iaic> 10/05/2004 Coordinated public disclosure
iaic> IX. CREDIT
iaic> Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.
iaic> Get paid for vulnerability research
iaic> http://www.idefense.com/poi/teams/vcp.jsp
iaic> X. LEGAL NOTICES
iaic> Copyright (c) 2004 iDEFENSE, Inc.
iaic> Permission is granted for the redistribution of this alert
iaic> electronically. It may not be edited in any way without the express
iaic> written consent of iDEFENSE. If you wish to reprint the whole or any
iaic> part of this alert in any other medium other than electronically, please
iaic> email customerservice@xxxxxxxxxxxx for permission.
iaic> Disclaimer: The information in the advisory is believed to be accurate
iaic> at the time of publishing based on currently available information. Use
iaic> of the information constitutes acceptance for use in an AS IS condition.
iaic> There are no warranties with regard to this information. Neither the
iaic> author nor the publisher accepts any liability for any direct, indirect,
iaic> or consequential loss or damage arising from use of, or reliance on,
iaic> this information.
iaic> _______________________________________________
iaic> Full-Disclosure - We believe in it.
iaic> Charter: http://lists.netsys.com/full-disclosure-charter.html
--
~/ZARAZA
В расчетах была ошибка. (Лем)