TUCoPS :: Security App Flaws :: hack0631.htm

Multiple AntiVirus Reserved Device Name Handling vuln
Multiple AntiVirus Reserved Device Name Handling Vulnerability 

Multiple AntiVirus Reserved Device Name Handling Vulnerability

Author:Sowhat
Date:October,9th,2004
http://secway.org/Advisory/Ad20041009.txt 

Vendor:

AntiVir
www.hbedv.com 

Twister
www.filseclab.com 

Protector plus 2000
www.pspl.com 

Overview:

As many popular AV's "Reserved Device Name Handling Vulnerability"
were reported,
i have tested this well known bugz with some others for fun :)
There are still 3 leaving for me ,tested with the lastest or the most
popular version.

Descritption:

Exploitation of this design vulnerability in these AntiVirus products
could allow malicious code to evade detection.

The problem is that during the automatic and manual scans,these Avs
dont consistently scan the files and directories named as reserved
MS-DOS devices,
such as AUX, CON, PRN, COM1 and LPT1 etc.
When these Avs scan the files and folders named with Reserved Device Name,
they will fail to detect and report the malicious code,then they can
avoid detection.

This vulnerablity is most exactly as the Symantec's
so,if you want to see more information ,
just google "Symantec Security Advisory SYM04-015" || "iDEFENSE
Security Advisory 10.05.04b"

WorkAround:

Delelte all the files and folders named with Reserved Device Name.

Vendor Status:

I have contacted all 3 vendors,only Twister replied and they will
fixed it in the
next release.

CREDIT:
Sowhat 0f the ITS Security Research Team
Sowhat[0x40]secway[0x2e]org

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH