| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: 3APA3A at SECURITY.NNOV.RU (3APA3A) Subject: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability Dear bipin gautam, This issue was really discussed in the past and was fixed in Kaspersky Antivirus. http://www.security.nnov.ru/search/document.asp?docid=4061 I do work for iDefense. They pay for Mozilla bugs more than Mozilla does. But not in this case. As you can see -=-=-=- Quote -=-=-=- IX. CREDIT Kurt Seifried (kurt[at]seifried.org) is credited with this discovery. -=-=-=- End -=-=-=- I never submitted any antiviral bugs to iDefense, but both iDefense and Kurt Seifried may read security lists. Yes, Kurt tested Symantec against good well known problem. --Wednesday, October 6, 2004, 7:02:46 AM, you wrote to full-disclosure@...ts.netsys.com: bg> hi iDEFENSE, bg> What a coincidence, This is what i was talking about bg> with few others in the list... a day bg> back!!! I myself saw this behavoir...... (i was a few bg> days short) hay guys you were telling me, "Antiviral bg> vendors aware about this problem, it was discussed in bg> past." so??? iDEFENSE took away my upcomming advisort. bg> )O; bg> 3APA3A, do you work for iDEFENSE??????? bg> ANYWAYS, this isn't a first time a advisory has bg> coinside with other........ bg> cheese, bg> bipin bg> --- 3APA3A <3APA3A@...URITY.NNOV.RU> wrote: >> Dear bipin gautam, >> >> Actually my super antivirus easily detects >> eicar in nul.con. For >> example, for c:\NUL.CON\eicar.com >> >> try >> >> antieicar \\.\c:\NUL.CON\eicar.com >> >> Antiviral vendors aware about this problem, it was >> discussed in past. >> >> --Saturday, October 2, 2004, 9:57:52 PM, you wrote >> to full-disclosure@...ts.netsys.com: >> >> >> >> OK. I just wrote new super antivirus. It's >> >> databases currently consist >> >> from only eicar.com signature (I'm very new >> in >> >> this business) but it >> >> 100% detects EICAR in the file with removed >> >> permissions :) >> >> >> >> http://www.security.nnov.ru/files/antieicar.zip >> >> >> Now, there is at least one antivirus to break >> your >> >> statement :) >> >> >> >> >> bg> good example 3APA3A to teach those software >> companies >> bg> howto, >> >> bg> anyways... here is a archive, >> >> bg> http://www.geocities.com/visitbipin/antiPOC.zip >> >> bg> Extract the archive by using "DEFAULT ZIP >> MANAGER" of >> bg> windows xp. It will create a file "NULL.con" (O; >> bg> within which there is a "eicar test string >> file". >> >> bg> I don't think your super AV will detect the >> "eicar >> bg> test string file" withing "NULL.con" folder??? >> :) >> >> bg> anyways... let me know HOW? when you figure out >> to how >> bg> to delete "NULL.con" directory. >> >> >> The problem specifically exists in attempts to scan >> files and >> directories named as reserved MS-DOS devices. >> Reserved MS-DOS device >> names are a hold over from the original days of >> Microsoft DOS. The >> reserved MS-DOS device names represent devices such >> as the first printer >> port (LPT1) and the first serial communication port >> (COM1). Sample >> reserved MS-DOS device names include AUX, CON, PRN, >> COM1 and LPT1. If a >> virus stores itself in a reserved device name it can >> avoid detection by >> Symantec Norton AntiVirus when the system is >> scanned. Symantec Norton >> AntiVirus will scan the files and folders containing >> the virus and fail >> to detect or report them. reserved device names can >> be creating with >> standard Windows utilities by specifying the full >> Universal Naming >> Convention (UNC) path. The following command will >> successfully copy a >> file to the reserved device name 'aux' on the C:\ >> drive: >> >> copy source \\.\C:\aux >> >> bg> _______________________________ bg> Do you Yahoo!? bg> Declare Yourself - Register online to vote today! bg> http://vote.yahoo.com bg> _______________________________________________ bg> Full-Disclosure - We believe in it. bg> Charter: http://lists.netsys.com/full-disclosure-charter.html -- ~/ZARAZA ?? ? ??????, ??????, ?????????? ???????????? ??? ?????? ???????. (????)
Powered by blists - more mailing lists