Re: SECURITY.NNOV: special devices access in multiple archivers

From: Andreas Marx (amarx@gega-it.de)
Date: Fri Aug 10 2001 - 10:07:03 PDT

Next message: Scott Blake: "Re: Can we afford full disclosure of security holes?"

Previous message: aleph1at_private: "Administrivia: Full Disclosure Debate"
In reply to: Juergen P. Meier: "Re: SECURITY.NNOV: special devices access in multiple archivers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

>Thats not entirely true, you can easily add such files using other Operating
>systems, that do not suffer from defective or braindead filename conventions.
>Zip archiving tools are available for a wide variety of unix systems, which
>allow creation and adding of files like NUL.EXE flawlessly ;)

OK, yes, you can add such files under Linux, for example. However, there is 
no solution (as far as I know) to add files like "../../test.exe", right? 
Paths with "normal" subdirs causes no problems (neither under Windows nor 
other OS). That was the major reason why we used a disk editor and not 
simply Linux.

>The testing of Windows based Antivirus products has to be done within
>windows. Although i would run them inside vmware or similar virtual boxen.

We used plain vanilla windows (why vmware?).

>Did you also test Unix based virus scanners? there are quite a few AV
>Products that have scanners running on Unix.

This was the reason why my answer is late - after we found that the desktop 
products passed the test very well, we tried Linux-based products as well 
as Notes (NT) and Exchange products (NT) - together 23 different. In the 
default configuration, no program we have tested was vulnerable. Only in 
some special cases (very unlikely, but possible) and only in "integrated" 
products (all tested av-only software works fine) that uses external 
archivers the ".." bug exists.

This is really critical, but we have notified the producers and I'll post 
more info's about this issue when a fix is released. Again: This bug can be 
exploited only in very, very unlikely situations. (It's not a useful 
configuration at all.)

But it is possible - and this is a really dangerous issue, since the 
programs with this problems runs at root or system service with admin 
rights... (even the extraction programs) - it's trivial to replace a file 
on the server ( /etc/passwd or /etc/shadow as well as win.ini) for example 
- to get root or change (overwrite) the configuration of the programs.

An advisory will be released some days after the bugs were fixed - I expect 
it next week.

cheers,
Andreas

NEW: Notes 4/5 + Exchange 5.5/2000 AV Test -> http://www.av-test.org


-- 
Andreas Marx <amarx@gega-it.de>, http://www.av-test.de
GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany
Tel: 0391/6075466, Mobil: 0177/6133033, Fax: 0391/6075469

Next message: Scott Blake: "Re: Can we afford full disclosure of security holes?"
Previous message: aleph1at_private: "Administrivia: Full Disclosure Debate"
In reply to: Juergen P. Meier: "Re: SECURITY.NNOV: special devices access in multiple archivers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 18:37:38 PDT