[21497] in bugtraq
Re: SECURITY.NNOV: directory traversal and path globing in multiple archivers
daemon@ATHENA.MIT.EDU (Andreas Marx)
Mon Jul 16 00:06:19 2001
From: "Andreas Marx" <amarx@gega-it.de>
To: bugtraq@securityfocus.com, amarx@gega-it.de
Date: Thu, 12 Jul 2001 21:55:23 +0200
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Cc: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Message-ID: <3B4E1CCB.16871.2313B1@localhost>
In-reply-to: <4713294566.20010712124125@SECURITY.NNOV.RU>
Hello,
the ".." bug and how it can be exploited is quite old, so I was
wondering that the newer packer programs still have it. :-(
Network Associates ( http://www.nai.com ) has found a virus in mid-
2000 called "Bat/Winrip", which uses such a way to replicate. After
the virus has been found by the German NAI Office, some warnings
were send out to both other av companies as well as developers of
packer programs. But it sems that only a few people have taken
steps against this issue in their programs.
The most interesting issue in this virus was, that it was able to
replicate using the extraction routine of a virus scanner: Some
scanners still extract every file of an archive to disk first (like to
C:\TEMP) and after this, they look for a virus inside of this
unzipped file.
Some virus scanners used external unpackers or special DLL
routines for doing this - both using the full path and accepting ".."
or "\". Currently, this should have changed now - some still extract
the files first (which is relatively slow, so scanning everything in
memory is more effective), but usually using a random
file name and/or ignoring path statements as far as I know.
The trick of the WinRip virus was to drop itself to the autostart folder:
"\winnt\profiles\default user\start menu\programs\startup\winrip.bat". After a
reboot (and if this was really the 'correct' folder!) the virus could activate...
I can remember about this virus very good, since I've been written a longer
article about this virus and the security-related issue for the PC-WELT
magazine in German language ( http://www.pcwelt.de/ratgeber/online/15968/ ).
cheers,
Andreas Marx
AV-Test.org - Tests of Anti-Virus Programs
--
Andreas Marx, amarx@gega-it.de, http://www.av-test.org
GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany
Tel: 0391/6075466, Mobil: 0177/6133033, Fax: 0391/6075469
