lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <d65cd4390410180657a518cdc@mail.gmail.com>
Date: Mon, 18 Oct 2004 21:57:06 +0800
From: "Sowhat ." <smaillist@...il.com>
To: bugtraq@...urityfocus.com
Subject: Mutiple AntiVirus Reserved Device Name Handling Vulnerability


Mutiple AntiVirus Reserved Device Name Handling Vulnerability

Author:Sowhat
Date:October,9th,2004
http://secway.org/Advisory/Ad20041009.txt

Vendor:

AntiVir
www.hbedv.com

Twister
www.filseclab.com

Protector plus 2000
www.pspl.com

Overview:

As many popular AV's "Reserved Device Name Handling Vulnerability"
were reported,
i have tested this well known bugz with some others for fun :)
There are still 3 leaving for me ,tested with the lastest or the most
popular version.

Descritption:

Exploitation of this design vulnerability in these AntiVirus products 
could allow malicious code to evade detection.

The problem is that during the automatic and manual scans,these Avs 
dont consistently scan the files and directories named as reserved
MS-DOS devices,
such as AUX, CON, PRN, COM1 and LPT1 etc.
When these Avs scan the files and folders named with Reserved Device Name,
they will fail to detect and report the malicious code,then they can
avoid detection.

This vulnerablity is exactly as the Symantec's
so,if you want to see more information ,
just google "Symantec Security Advisory SYM04-015" || "iDEFENSE
Security Advisory 10.05.04b"


WorkAround:

Delelte all the files and folders named with Reserved Device Name.

Vendor Status:

I have contacted all 3 vendors,only Twister replied and they will
fixed it in the
next release.


CREDIT:
Sowhat 0f the ITS Security Research Team
Sowhat[0x40]secway[0x2e]org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ