oss-sec mailing list archives
CVE request: TSK misrepresents "." files on FAT filesystems
From: Timo Warns <Warns () Pre-Sense DE>
Date: Sat, 1 Dec 2012 21:58:43 +0100
The Sleuth Kit misrepresents files named "." on FAT filesystems. An attacker could rename a file to "." to evade detection by a forensic analysis. Affected is the current version 4.0.1. Older versions are probably affected as well. No patch is currently available. The bug is tracked at http://sourceforge.net/tracker/?func=detail&aid=3523019&group_id=55685&atid=477889 AFAICS, the bug was originally identified by Wim Bertels http://sourceforge.net/mailarchive/forum.php?thread_name=1305739444.2355.35.camel%40zwerfkat&forum_name=sleuthkit-users Further discussion is at http://sourceforge.net/mailarchive/forum.php?thread_name=20120503111900.GL18142%40hauptmenue&forum_name=sleuthkit-users The vulnerability is already exploited, for example, by the Flame malware (possibly unintendedly). Flame uses an encrypted SQLite-DB named "." for extraction of confidential files and for update distribution. An analyst may miss the file as the Sleuth Kit does not appropriately show the file. http://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/ http://blog.crysys.hu/2012/06/flame-usb-dot-file-confirmed/ Regards, Timo
Current thread:
- CVE request: TSK misrepresents "." files on FAT filesystems Timo Warns (Dec 01)
- Re: CVE request: TSK misrepresents "." files on FAT filesystems Kurt Seifried (Dec 03)