[22084] in bugtraq
Re: SECURITY.NNOV: special devices access in multiple archivers
daemon@ATHENA.MIT.EDU (Andreas Marx)
Thu Aug 2 12:09:28 2001
Message-Id: <5.1.0.14.2.20010802102452.00aa7cb8@gega-it.de>
Date: Thu, 02 Aug 2001 11:11:44 +0200
To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
From: Andreas Marx <amarx@gega-it.de>
Cc: bugtraq@securityfocus.com
In-Reply-To: <196589117.20010713114939@SECURITY.NNOV.RU>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Hello,
we, the Anti-Virus Test Team at the University of Magdeburg, have looked at
this issue about problematic filename like "AUX", "NUL" or ".." inside
archives now on 39 security-related programs like anti-virus scanners
(Norton, McAfee, CA, AntiVir, AVX, Kaspersky etc.) as well as anti-trojan
programs (Ants, Anti-Trojan, Tauscan, etc.) To make it short: Most programs
are not affected.
The first test includes file names like "NUL.EXE", "AUX.EXE", "LPT1.EXE"
and "CLOCK$.EXE" in archive files (please note, that "NUL" and "NUL.EXE"
have exactly the same behaviour, we just used "EXE" to make sure a scanner
will really try to check this file in the archive). Archive types tested:
ZIP and ARJ.
Result: Only *one* program *crashes* (it is a nearly unknown and not widely
distributed anti-trojan scanner, vendor was notified about this issue) on
both ARJ and ZIP archives, most other programs are still able to find the
infected file (if they scan archives).
The second test includes file names like "../TEST.EXE" up to
"../../../../../TEST.EXE" in ZIP archives. No program drops the TEST.EXE
file somewhere on drive C:. All scanners who found the original (not
packed) file were still able to find the virus in the malformed archive.
Therefore, there is no "scanner drops possible infected files" (Bat/WinRip
issue) anymore - all vendors have fixed possible problems at least one year
ago. (We have tested older and newer versions of the programs on this issuse.)
Therefore, there is no risk of scanning such malformed archives using av
programs. However, most current archivers (accoding to 3APA3A's report)
still have a problem - and a lot other programs, too. We have verified this
during out test if the archives are really malformed. ;-) - Some crashes on
file like "NUL.EXE", other drops files from the ZIP archive to "somewhere"
on the disc...
cheers,
Andreas
btw, our newest anti-virus scanner test for both Lotus Notes 4/5 and MS
Exchange 5.5/2000 Groupware is now available at http://www.av-test.org for
download and as an online representation ("interactive" tables and bar plots).
--
Andreas Marx <amarx@gega-it.de>, http://www.av-test.de
GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany
Tel: 0391/6075466, Mobil: 0177/6133033, Fax: 0391/6075469
