oss-sec mailing list archives
Re: CVE request: TSK misrepresents "." files on FAT filesystems
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 03 Dec 2012 18:54:44 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/01/2012 01:58 PM, Timo Warns wrote:
The Sleuth Kit misrepresents files named "." on FAT filesystems. An attacker could rename a file to "." to evade detection by a forensic analysis. Affected is the current version 4.0.1. Older versions are probably affected as well. No patch is currently available. The bug is tracked at http://sourceforge.net/tracker/?func=detail&aid=3523019&group_id=55685&atid=477889 AFAICS, the bug was originally identified by Wim Bertels http://sourceforge.net/mailarchive/forum.php?thread_name=1305739444.2355.35.camel%40zwerfkat&forum_name=sleuthkit-users Further discussion is at http://sourceforge.net/mailarchive/forum.php?thread_name=20120503111900.GL18142%40hauptmenue&forum_name=sleuthkit-users The vulnerability is already exploited, for example, by the Flame malware (possibly unintendedly). Flame uses an encrypted SQLite-DB named "." for extraction of confidential files and for update distribution. An analyst may miss the file as the Sleuth Kit does not appropriately show the file. http://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/
http://blog.crysys.hu/2012/06/flame-usb-dot-file-confirmed/
Regards, Timo
Please use CVE-2012-5619 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQvVfkAAoJEBYNRVNeJnmTsAcP/0wh/shO2O88JMcLDbShZhNi o78DXPDNS+kASw2PZz21kLJTnGlTi68zkCT1WlRSnHrrXTvYFdCp61gNAlveHdq9 uGFVkiE7XRMKpcVbbusEIo5bSgtYTcMCQgb+TMYKSYp4P7YAwwSdnXZQxSfGly8Y gd5fMPD2yABPtQnq6/LeNJgFmZGs+TAG7c+z1pQKmV4l7fdCzAvz0DoakBoqz+2T 26pzX4oMxAeYsHffWKI4F/JPPkBDuVy1yfuQVlJgSGn+UKuPZFuG/I2f0czvplxF 9xKYTE/cDLCAgmOwrOMRWMk0BnOviIUh2vmaciC/Q/hQ+7zXk9uco4m5y+5vclCk iN+aQhhV+KjcDj07AKtK2f45kC9sjYfHymlsxQtBPeN4DZnVy70OKUE0FqFkKNb3 sElbmA00BNW49U0QVSSLcOqEopCpA3U0XSCh4OMgux9dRFapBOHriWCQnT82skan 7sZDLCPxkIuRPFAaAWYCdwweX38f55wKbtdverSv4OvVjYa4n/i2p4CVxN7n4BlY smnpxu97u/TcifjLL1AglbN0/yfnrhnLjB12O6iwZfdAXkPA/DcoNRLoRdGve9M/ to6D3ef34OvFtxVhTIUUhsx2sO1YBJZlFb88faunh5jSHEQlXuyIJAOdUNWE+y+9 SKDQy6m574LMnCXDT9sb =1aUQ -----END PGP SIGNATURE-----
Current thread:
- CVE request: TSK misrepresents "." files on FAT filesystems Timo Warns (Dec 01)
- Re: CVE request: TSK misrepresents "." files on FAT filesystems Kurt Seifried (Dec 03)