lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1817379213.20041006142535@SECURITY.NNOV.RU>
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability

Dear bipin gautam,

This  issue  was really discussed in the past and was fixed in Kaspersky
Antivirus.

http://www.security.nnov.ru/search/document.asp?docid=4061

I  do  work  for  iDefense.  They pay for Mozilla bugs more than Mozilla
does. But not in this case. As you can see

-=-=-=- Quote -=-=-=-
IX. CREDIT

Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.
-=-=-=-  End -=-=-=-

I  never submitted any antiviral bugs to iDefense, but both iDefense and
Kurt Seifried may read security lists. Yes, Kurt tested Symantec against
good well known problem.

--Wednesday, October 6, 2004, 7:02:46 AM, you wrote to full-disclosure@...ts.netsys.com:

bg> hi iDEFENSE,

bg> What a coincidence, This is what i was talking about
bg> with few others in the list... a day 
bg> back!!! I myself saw this behavoir...... (i was a few
bg> days short) hay guys you were telling me, "Antiviral
bg> vendors aware about this problem, it was discussed in
bg> past." so??? iDEFENSE took away my upcomming advisort.
bg> )O;

bg> 3APA3A, do you work for iDEFENSE???????

bg> ANYWAYS, this isn't a first time a advisory has
bg> coinside with other........

bg> cheese,
bg> bipin

bg> --- 3APA3A <3APA3A@...URITY.NNOV.RU> wrote:

>> Dear bipin gautam,
>> 
>> Actually  my  super  antivirus  easily  detects 
>> eicar  in  nul.con. For
>> example, for c:\NUL.CON\eicar.com
>> 
>> try
>> 
>> antieicar \\.\c:\NUL.CON\eicar.com
>> 
>> Antiviral vendors aware about this problem, it was
>> discussed in past.
>> 
>> --Saturday, October 2, 2004, 9:57:52 PM, you wrote
>> to full-disclosure@...ts.netsys.com:
>> 
>>  
>> >> OK.  I  just wrote new super antivirus. It's
>> >> databases currently consist
>> >> from  only  eicar.com  signature  (I'm very new
>> in
>> >> this business) but it
>> >> 100% detects EICAR in the file with removed
>> >> permissions :)
>> >> 
>> >> http://www.security.nnov.ru/files/antieicar.zip
>> 
>> >> Now, there is at least one antivirus to break
>> your
>> >> statement :)
>> >> 
>> 
>> 
>> bg> good example 3APA3A to teach those software
>> companies
>> bg> howto, 
>> 
>> bg> anyways... here is a archive, 
>> 
>> bg> http://www.geocities.com/visitbipin/antiPOC.zip
>> 
>> bg> Extract the archive by using "DEFAULT ZIP
>> MANAGER" of
>> bg> windows xp. It will create a file "NULL.con" (O;
>> bg> within which there is a "eicar test string
>> file". 
>> 
>> bg> I don't think your super AV will detect the
>> "eicar
>> bg> test string file" withing "NULL.con" folder???
>> :)
>> 
>> bg> anyways... let me know HOW? when you figure out
>> to how
>> bg> to delete "NULL.con" directory.
>> 
>> 

>> The problem specifically exists in attempts to scan
>> files and
>> directories named as reserved MS-DOS devices.
>> Reserved MS-DOS device
>> names are a hold over from the original days of
>> Microsoft DOS. The
>> reserved MS-DOS device names represent devices such
>> as the first printer
>> port (LPT1) and the first serial communication port
>> (COM1). Sample
>> reserved MS-DOS device names include AUX, CON, PRN,
>> COM1 and LPT1. If a
>> virus stores itself in a reserved device name it can
>> avoid detection by
>> Symantec Norton AntiVirus when the system is
>> scanned. Symantec Norton
>> AntiVirus will scan the files and folders containing
>> the virus and fail
>> to detect or report them. reserved device names can
>> be creating with
>> standard Windows utilities by specifying the full
>> Universal Naming
>> Convention (UNC) path. The following command will
>> successfully copy a
>> file to the reserved device name 'aux' on the C:\
>> drive:
>> 
>>     copy source \\.\C:\aux
>> 
>>


		
bg> _______________________________
bg> Do you Yahoo!?
bg> Declare Yourself - Register online to vote today!
bg> http://vote.yahoo.com

bg> _______________________________________________
bg> Full-Disclosure - We believe in it.
bg> Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
~/ZARAZA
?? ? ??????, ??????, ?????????? ???????????? ??? ?????? ???????. (????)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ