oss-sec mailing list archives

CVE request: TSK misrepresents "." files on FAT filesystems

From: Timo Warns <Warns () Pre-Sense DE>
Date: Sat, 1 Dec 2012 21:58:43 +0100

The Sleuth Kit misrepresents files named "." on FAT filesystems. An
attacker could rename a file to "." to evade detection by a forensic
analysis.

Affected is the current version 4.0.1. Older versions are probably
affected as well.

No patch is currently available. The bug is tracked at
http://sourceforge.net/tracker/?func=detail&aid=3523019&group_id=55685&atid=477889

AFAICS, the bug was originally identified by Wim Bertels
http://sourceforge.net/mailarchive/forum.php?thread_name=1305739444.2355.35.camel%40zwerfkat&forum_name=sleuthkit-users

Further discussion is at
http://sourceforge.net/mailarchive/forum.php?thread_name=20120503111900.GL18142%40hauptmenue&forum_name=sleuthkit-users


The vulnerability is already exploited, for example, by the Flame
malware (possibly unintendedly). Flame uses an encrypted SQLite-DB named
"." for extraction of confidential files and for update distribution.
An analyst may miss the file as the Sleuth Kit does not appropriately
show the file.

http://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/
http://blog.crysys.hu/2012/06/flame-usb-dot-file-confirmed/

Regards, Timo

Current thread:

CVE request: TSK misrepresents "." files on FAT filesystems Timo Warns (Dec 01)
- Re: CVE request: TSK misrepresents "." files on FAT filesystems Kurt Seifried (Dec 03)