Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SECURITY.NNOV: special devices access in multiple archivers

From: Andreas Marx <amarx () gega-it de>
Date: Fri, 10 Aug 2001 19:07:03 +0200
Hi,


Thats not entirely true, you can easily add such files using other Operating
systems, that do not suffer from defective or braindead filename conventions.
Zip archiving tools are available for a wide variety of unix systems, which
allow creation and adding of files like NUL.EXE flawlessly ;)
OK, yes, you can add such files under Linux, for example. However, there is no solution (as far as I know) to add files like "../../test.exe", right? Paths with "normal" subdirs causes no problems (neither under Windows nor other OS). That was the major reason why we used a disk editor and not simply Linux. 


The testing of Windows based Antivirus products has to be done within
windows. Although i would run them inside vmware or similar virtual boxen.


We used plain vanilla windows (why vmware?).


Did you also test Unix based virus scanners? there are quite a few AV
Products that have scanners running on Unix.
This was the reason why my answer is late - after we found that the desktop products passed the test very well, we tried Linux-based products as well as Notes (NT) and Exchange products (NT) - together 23 different. In the default configuration, no program we have tested was vulnerable. Only in some special cases (very unlikely, but possible) and only in "integrated" products (all tested av-only software works fine) that uses external archivers the ".." bug exists.
This is really critical, but we have notified the producers and I'll post more info's about this issue when a fix is released. Again: This bug can be exploited only in very, very unlikely situations. (It's not a useful configuration at all.)
But it is possible - and this is a really dangerous issue, since the programs with this problems runs at root or system service with admin rights... (even the extraction programs) - it's trivial to replace a file on the server ( /etc/passwd or /etc/shadow as well as win.ini) for example - to get root or change (overwrite) the configuration of the programs.
An advisory will be released some days after the bugs were fixed - I expect it next week. 

cheers,
Andreas

NEW: Notes 4/5 + Exchange 5.5/2000 AV Test -> http://www.av-test.org


--
Andreas Marx <amarx () gega-it de>, http://www.av-test.de
GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany
Tel: 0391/6075466, Mobil: 0177/6133033, Fax: 0391/6075469
Previous By Date Next
Previous By Thread Next

Current thread: