Dear idlabs-advisories@xxxxxxxxxxxx, This vuilnerability for Symantec was reported in February, 2003 by 3APA3A (for Kaspersky Antivirus) http://www.security.nnov.ru/search/document.asp?docid=4061 and by James C Slora Jr for Symantec (with a copy to Bugtraq moderator, his message was published by SECURITY.NNOV) http://www.security.nnov.ru/search/document.asp?docid=4081 This issue was reported to Symantec, but official reply was received from Symantec their antiviral products are not vulnerable (it's signed): http://www.security.nnov.ru/search/document.asp?docid=4208 I think credits on this issue discovery must be granted to James C Slora Jr (Jim.Slora at phra.com). --Tuesday, October 5, 2004, 8:36:22 PM, you wrote to idlabs-advisories@xxxxxxxxxxxx: iaic> Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability iaic> iDEFENSE Security Advisory 10.05.04b: iaic> www.idefense.com/application/poi/display?id=147&type=vulnerabilities iaic> October 5, 2004 iaic> I. BACKGROUND iaic> Symantec's Norton AntiVirus protects email, instant messages, and other iaic> files by automatically removing viruses, worms, and Trojan horses. More iaic> information about the product is available from http://www.symantec.com iaic> II. DESCRIPTION iaic> Remote exploitation of design vulnerability in Symantec's Norton iaic> AntiVirus allows malicious code to evade detection. iaic> The problem specifically exists in attempts to scan files and iaic> directories named as reserved MS-DOS devices. Reserved MS-DOS device iaic> names are a hold over from the original days of Microsoft DOS. The iaic> reserved MS-DOS device names represent devices such as the first printer iaic> port (LPT1) and the first serial communication port (COM1). Sample iaic> reserved MS-DOS device names include AUX, CON, PRN, COM1 and LPT1. If a iaic> virus stores itself in a reserved device name it can avoid detection by iaic> Symantec Norton AntiVirus when the system is scanned. Symantec Norton iaic> AntiVirus will scan the files and folders containing the virus and fail iaic> to detect or report them. reserved device names can be creating with iaic> standard Windows utilities by specifying the full Universal Naming iaic> Convention (UNC) path. The following command will successfully copy a iaic> file to the reserved device name 'aux' on the C:\ drive: iaic> copy source \\.\C:\aux iaic> III. ANALYSIS iaic> Exploitation allows attackers to evade detection of malicious code. iaic> Attackers can unpack or decode an otherwise detected malicious payload iaic> in a stealth manner. iaic> IV. DETECTION iaic> iDEFENSE has confirmed the existence of this vulnerability in the latest iaic> version of Norton AntiVirus. It is reported that earlier versions crash iaic> upon parsing files or directories using reserved MS-DOS device names. iaic> V. WORKAROUND iaic> Ensure that no local files or directories using reserved MS-DOS device iaic> names exist. On most modern Windows systems there should be no reserved iaic> MS-DOS device names present. While the Windows search utility can be iaic> used to locate offending files and directories, either a seperate tool iaic> or the specification of Universal Naming Convention (UNC) must be used iaic> to remote them. The following command will successfully remove a file iaic> stored on the C:\ drive named 'aux': iaic> del \\.\C:\aux iaic> VI. VENDOR RESPONSE iaic> "Symantec engineers have developed a fix for this issue for Symantec iaic> Norton AntiVirus 2004 that is currently available through LiveUpdate. iaic> The fix is being incorporated into all other supported Symantec Norton iaic> AntiVirus versions and will be available through LiveUpdate when fully iaic> tested and released." iaic> More information is available in Symantec Security Advisory SYM04-015. iaic> VII. CVE INFORMATION iaic> The Common Vulnerabilities and Exposures (CVE) project has assigned the iaic> names CAN-2004-0920 to these issues. This is a candidate for inclusion iaic> in the CVE list (http://cve.mitre.org), which standardizes names for iaic> security problems. iaic> VIII. DISCLOSURE TIMELINE iaic> 05/12/2004 Vulnerability acquired by iDEFENSE iaic> 06/25/2004 iDEFENSE clients notified iaic> 06/29/2004 Initial vendor notification iaic> 06/30/2004 Initial vendor response iaic> 10/05/2004 Coordinated public disclosure iaic> IX. CREDIT iaic> Kurt Seifried (kurt[at]seifried.org) is credited with this discovery. iaic> Get paid for vulnerability research iaic> http://www.idefense.com/poi/teams/vcp.jsp iaic> X. LEGAL NOTICES iaic> Copyright (c) 2004 iDEFENSE, Inc. iaic> Permission is granted for the redistribution of this alert iaic> electronically. It may not be edited in any way without the express iaic> written consent of iDEFENSE. If you wish to reprint the whole or any iaic> part of this alert in any other medium other than electronically, please iaic> email customerservice@xxxxxxxxxxxx for permission. iaic> Disclaimer: The information in the advisory is believed to be accurate iaic> at the time of publishing based on currently available information. Use iaic> of the information constitutes acceptance for use in an AS IS condition. iaic> There are no warranties with regard to this information. Neither the iaic> author nor the publisher accepts any liability for any direct, indirect, iaic> or consequential loss or damage arising from use of, or reliance on, iaic> this information. iaic> _______________________________________________ iaic> Full-Disclosure - We believe in it. iaic> Charter: http://lists.netsys.com/full-disclosure-charter.html -- ~/ZARAZA В расчетах была ошибка. (Лем)
