[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 551/04 - iDEFENSE Security Advisory 10.05.04b


- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 551/04 dated 07.10.04  Time: 10:15  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------


iDEFENSE Security Advisory 10.05.04b - Symantec Norton AntiVirus Reserved Device 
                                       Name Handling Vulnerability

Remote exploitation of design vulnerability in Symantec's Norton AntiVirus allows 
malicious code to evade detection.

           ESB-2004.0626 -- iDEFENSE Security Advisory 10.05.04b
   Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability
                              6 October 2004

Product:                Symantec Norton AntiVirus
Publisher:              iDEFENSE
Operating System:       Windows
Impact:                 Reduced Security
Access:                 Remote/Unauthenticated
CVE Names:              CAN-2004-0920
Original Bulletin URL:  http://www.idefense.com/application/poi/display?id=147

- - --------------------------BEGIN INCLUDED TEXT--------------------

Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability

iDEFENSE Security Advisory 10.05.04b: www.idefense.com/application/poi/display?id=147&type=vulnerabilities
October 5, 2004


Symantec's Norton AntiVirus protects email, instant messages, and other files by automatically removing viruses, worms, and Trojan horses. More information about the product is available from http://www.symantec.com


Remote exploitation of design vulnerability in Symantec's Norton AntiVirus allows malicious code to evade detection.

The problem specifically exists in attempts to scan files and directories named as reserved MS-DOS devices. Reserved MS-DOS device names are a hold over from the original days of Microsoft DOS. The reserved MS-DOS device names represent devices such as the first printer port (LPT1) and the first serial communication port (COM1). Sample reserved MS-DOS device names include AUX, CON, PRN, COM1 and LPT1. If a virus stores itself in a reserved device name it can avoid detection by Symantec Norton AntiVirus when the system is scanned. Symantec Norton AntiVirus will scan the files and folders containing the virus and fail to detect or report them. reserved device names can be creating with standard Windows utilities by specifying the full Universal Naming Convention (UNC) path. The following command will successfully copy a file to the reserved device name 'aux' on the C:\ drive:

    copy source \\.\C:\aux


Exploitation allows attackers to evade detection of malicious code. Attackers can unpack or decode an otherwise detected malicious payload in a stealth manner.


iDEFENSE has confirmed the existence of this vulnerability in the latest version of Norton AntiVirus. It is reported that earlier versions crash upon parsing files or directories using reserved MS-DOS device names.


Ensure that no local files or directories using reserved MS-DOS device names exist. On most modern Windows systems there should be no reserved MS-DOS device names present. While the Windows search utility can be used to locate offending files and directories, either a seperate tool or the specification of Universal Naming Convention (UNC) must be used to remote them. The following command will successfully remove a file stored on the C:\ drive named 'aux':

    del \\.\C:\aux


"Symantec engineers have developed a fix for this issue for Symantec Norton AntiVirus 2004 that is currently available through LiveUpdate. The fix is being incorporated into all other supported Symantec Norton AntiVirus versions and will be available through LiveUpdate when fully tested and released."

More information is available in Symantec Security Advisory SYM04-015.


The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-0920 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.


05/12/2004   Vulnerability acquired by iDEFENSE
06/25/2004   iDEFENSE clients notified
06/29/2004   Initial vendor notification
06/30/2004   Initial vendor response
10/05/2004   Coordinated public disclosure


Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.

Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp


Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@xxxxxxxxxxxx for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of iDEFENSE for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

Version: PGP 8.0