[22212] in bugtraq
Re: SECURITY.NNOV: special devices access in multiple archivers
daemon@ATHENA.MIT.EDU (Andreas Marx)
Fri Aug 10 21:57:21 2001
Message-Id: <5.1.0.14.2.20010810184540.044c0be8@gega-it.de>
Date: Fri, 10 Aug 2001 19:07:03 +0200
To: "Juergen P. Meier" <bugtraq@jors.net>
From: Andreas Marx <amarx@gega-it.de>
Cc: yahoo <sai_ealcatraz@yahoo.com>, 3APA3A <3APA3A@SECURITY.NNOV.RU>,
bugtraq@securityfocus.com
In-Reply-To: <20010804193211.B21047@jors.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Hi,
>Thats not entirely true, you can easily add such files using other Operating
>systems, that do not suffer from defective or braindead filename conventions.
>Zip archiving tools are available for a wide variety of unix systems, which
>allow creation and adding of files like NUL.EXE flawlessly ;)
OK, yes, you can add such files under Linux, for example. However, there is
no solution (as far as I know) to add files like "../../test.exe", right?
Paths with "normal" subdirs causes no problems (neither under Windows nor
other OS). That was the major reason why we used a disk editor and not
simply Linux.
>The testing of Windows based Antivirus products has to be done within
>windows. Although i would run them inside vmware or similar virtual boxen.
We used plain vanilla windows (why vmware?).
>Did you also test Unix based virus scanners? there are quite a few AV
>Products that have scanners running on Unix.
This was the reason why my answer is late - after we found that the desktop
products passed the test very well, we tried Linux-based products as well
as Notes (NT) and Exchange products (NT) - together 23 different. In the
default configuration, no program we have tested was vulnerable. Only in
some special cases (very unlikely, but possible) and only in "integrated"
products (all tested av-only software works fine) that uses external
archivers the ".." bug exists.
This is really critical, but we have notified the producers and I'll post
more info's about this issue when a fix is released. Again: This bug can be
exploited only in very, very unlikely situations. (It's not a useful
configuration at all.)
But it is possible - and this is a really dangerous issue, since the
programs with this problems runs at root or system service with admin
rights... (even the extraction programs) - it's trivial to replace a file
on the server ( /etc/passwd or /etc/shadow as well as win.ini) for example
- to get root or change (overwrite) the configuration of the programs.
An advisory will be released some days after the bugs were fixed - I expect
it next week.
cheers,
Andreas
NEW: Notes 4/5 + Exchange 5.5/2000 AV Test -> http://www.av-test.org
--
Andreas Marx <amarx@gega-it.de>, http://www.av-test.de
GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany
Tel: 0391/6075466, Mobil: 0177/6133033, Fax: 0391/6075469
