Re: SECURITY.NNOV: special devices access in multiple archivers

From: Andreas Marx (amarx@gega-it.de)
Date: Thu Aug 02 2001 - 02:11:44 PDT

Next message: Juan Manuel Pascual Escriba: "vulnerability in otrcrep binary in Oracle 8.0.5."

Previous message: hypoclear: "Advisory Update: Design Flaw in Linksys EtherFast 4-Port Cable/DSL Router"
Next in thread: Andreas Marx: "Re: SECURITY.NNOV: special devices access in multiple archivers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

we, the Anti-Virus Test Team at the University of Magdeburg, have looked at 
this issue about problematic filename like "AUX", "NUL" or ".." inside 
archives now on 39 security-related programs like anti-virus scanners 
(Norton, McAfee, CA, AntiVir, AVX, Kaspersky etc.) as well as anti-trojan 
programs (Ants, Anti-Trojan, Tauscan, etc.) To make it short: Most programs 
are not affected.

The first test includes file names like "NUL.EXE", "AUX.EXE", "LPT1.EXE" 
and "CLOCK$.EXE" in archive files (please note, that "NUL" and "NUL.EXE" 
have exactly the same behaviour, we just used "EXE" to make sure a scanner 
will really try to check this file in the archive). Archive types tested: 
ZIP and ARJ.

Result: Only *one* program *crashes* (it is a nearly unknown and not widely 
distributed anti-trojan scanner, vendor was notified about this issue) on 
both ARJ and ZIP archives, most other programs are still able to find the 
infected file (if they scan archives).

The second test includes file names like "../TEST.EXE" up to 
"../../../../../TEST.EXE" in ZIP archives. No program drops the TEST.EXE 
file somewhere on drive C:. All scanners who found the original (not 
packed) file were still able to find the virus in the malformed archive. 
Therefore, there is no "scanner drops possible infected files" (Bat/WinRip 
issue) anymore - all vendors have fixed possible problems at least one year 
ago. (We have tested older and newer versions of the programs on this issuse.)

Therefore, there is no risk of scanning such malformed archives using av 
programs. However, most current archivers (accoding to 3APA3A's report) 
still have a problem - and a lot other programs, too. We have verified this 
during out test if the archives are really malformed. ;-) - Some crashes on 
file like "NUL.EXE", other drops files from the ZIP archive to "somewhere" 
on the disc...

cheers,
Andreas

btw, our newest anti-virus scanner test for both Lotus Notes 4/5 and MS 
Exchange 5.5/2000 Groupware is now available at http://www.av-test.org for 
download and as an online representation ("interactive" tables and bar plots).


-- 
Andreas Marx <amarx@gega-it.de>, http://www.av-test.de
GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany
Tel: 0391/6075466, Mobil: 0177/6133033, Fax: 0391/6075469

Next message: Juan Manuel Pascual Escriba: "vulnerability in otrcrep binary in Oracle 8.0.5."
Previous message: hypoclear: "Advisory Update: Design Flaw in Linksys EtherFast 4-Port Cable/DSL Router"
Next in thread: Andreas Marx: "Re: SECURITY.NNOV: special devices access in multiple archivers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 12:12:17 PDT