CVE-2000-0119
CVSS7.2
发布时间 :1999-12-22 00:00:00
修订时间 :2016-10-17 22:06:31
NMCOES    

[原文]The default configurations for McAfee Virus Scan and Norton Anti-Virus virus checkers do not check files in the RECYCLED folder that is used by the Windows Recycle Bin utility, which allows attackers to store malicious code without detection.


[CNNVD]多个供应商的病毒扫描回收站排除漏洞(CNNVD-199912-076)

        McAfee病毒扫描和Norton反病毒病毒检查程序中的默认配置存在漏洞,攻击者利用该漏洞存储未经检测的恶意代码,导致McAfee病毒扫描和Norton反病毒病毒检查程序不能检测回收站Recycled文件夹中的文件。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:mcafee:virusscanMcAfee VirusScan
cpe:/a:symantec:norton_antivirusSymantec Norton Antivirus

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0119
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0119
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199912-076
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=94936267131123&w=2
(UNKNOWN)  BUGTRAQ  20000130 Bypass Virus Checking

- 漏洞信息

多个供应商的病毒扫描回收站排除漏洞
高危 其他
1999-12-22 00:00:00 2005-10-20 00:00:00
远程※本地  
        McAfee病毒扫描和Norton反病毒病毒检查程序中的默认配置存在漏洞,攻击者利用该漏洞存储未经检测的恶意代码,导致McAfee病毒扫描和Norton反病毒病毒检查程序不能检测回收站Recycled文件夹中的文件。
        

- 公告与补丁

        Remove '\Recycled' from the exclusion list of you antivirus software.
        Each vendor has a different mechanism for editing the exclusion list.
        NAI / McAffee:
        There is an 'Exclusions' tab in the settings. From there you can delete the entry for the '\Recycled folder.
        Symantec NAV2000:
        There is no option in the interface to remove the Recycled folder from the exclusion list. To do this, you need to use a hex editor to remove the string from the 'exclude.dat' file. Max Vision has created an exclude.dat file with the Recycled folder removed, it is available at:
        http://www.securityfocus.com/data/vulnerabilities/patches/exclude.dat
        or
        http://maxvision.net/nav/exclude.dat
        Note: This patch will reset all other exclusion settings to the default values. See Max Vision's bugtraq post (linked to in the 'credit' section) for more information.

- 漏洞信息 (19733)

McAfee 4.0,Network Associates for Windows NT 4.0.2/4.0.3 a,Norton AntiVirus 2000 Recycle Bin Exclusion (EDBID:19733)
windows local
1999-12-22 Verified
0 Neil Bortnak
N/A [点击下载]
McAfee VirusScan 4.0,Network Associates VirusScan for Windows NT 4.0.2/4.0.3 a,Symantec Norton AntiVirus 2000 Recycle Bin Exclusion Vulnerability

source: http://www.securityfocus.com/bid/956/info

Many commercial virus scanners for Windows platforms exclude the Recycled folder on the hard drive from their scans. The Recycled folder is where Win9x operating systems keep files that have been deleted via the GUI but not purged from the Recycle Bin. Files of any nature can be manually placed in the Recycled folder. Therefore, it is possible for any user or program to put code into that folder that will never be subject to virus scans.

Although WinNT makes use of a folder called 'Recycler' for similar purposes, many virus scanners for NT still have the 'Recycled' folder listed in the exclusions.

Note that other virus scanners than those listed under the 'info' tab may be vulnerable as well. 

This exploit will install a 'decoy' executable to the desktop, and install a file (winsetup.dll) containing an eicar.com virus signature into the Recycled folder. The hostile code is originally XORed with 25 to get it past active detection, but is then restored to its regular executable state after being placed into the recycled folder.

The zip file contains the executable exploit, and source for the installer and the decoy. 

http://www.exploit-db.com/sploits/19733.zip		

- 漏洞信息

6269
Multiple Virus Scanner Recycle Bin Scan Bypass
Local Access Required Misconfiguration, Other
Loss of Confidentiality, Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

One "feature" of Virus scanning software permits attackers to hide malicious code in the "RECYCLED" directory. On vulnerable platforms, this means that users will not be notified of the presence of malware which is placed in this directory, in the event that their machine is compromised. However, this could allow infected machines to continue to be used for malicious purposes that should otherwise be noticed and stopped.

- 时间线

1999-12-22 Unknow
2000-01-30 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Multiple Vendor Virus Scanner Recycle Bin Exclusion Vulnerability
Failure to Handle Exceptional Conditions 956
Yes Yes
1999-12-22 12:00:00 2009-07-11 01:56:00
Originally posted to NTBugtraq by Neil Bortnak.

- 受影响的程序版本

Symantec Norton AntiVirus 2000
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Network Associates VirusScan for Windows NT 4.0.3 a
Network Associates VirusScan for Windows NT 4.0.2
McAfee VirusScan 4.0
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
Symantec Norton AntiVirus 5.0
Symantec Norton AntiVirus 4.0 for NT
Cheyenne Inoculan for Windows NT 4.0

- 不受影响的程序版本

Symantec Norton AntiVirus 5.0
Symantec Norton AntiVirus 4.0 for NT
Cheyenne Inoculan for Windows NT 4.0

- 漏洞讨论

Many commercial virus scanners for Windows platforms exclude the Recycled folder on the hard drive from their scans. The Recycled folder is where Win9x operating systems keep files that have been deleted via the GUI but not purged from the Recycle Bin. Files of any nature can be manually placed in the Recycled folder. Therefore, it is possible for any user or program to put code into that folder that will never be subject to virus scans.

Although WinNT makes use of a folder called 'Recycler' for similar purposes, many virus scanners for NT still have the 'Recycled' folder listed in the exclusions.

Note that other virus scanners than those listed under the 'info' tab may be vulnerable as well.

- 漏洞利用

This exploit will install a 'decoy' executable to the desktop, and install a file (winsetup.dll) containing an eicar.com virus signature into the Recycled folder. The hostile code is originally XORed with 25 to get it past active detection, but is then restored to its regular executable state after being placed into the recycled folder.

The zip file contains the executable exploit, and source for the installer and the decoy.

- 解决方案

Remove '\Recycled' from the exclusion list of you antivirus software.
Each vendor has a different mechanism for editing the exclusion list.

NAI / McAffee:
There is an 'Exclusions' tab in the settings. From there you can delete the entry for the '\Recycled folder.

Symantec NAV2000:
There is no option in the interface to remove the Recycled folder from the exclusion list. To do this, you need to use a hex editor to remove the string from the 'exclude.dat' file. Max Vision has created an exclude.dat file with the Recycled folder removed, it is available at:
http://www.securityfocus.com/data/vulnerabilities/patches/exclude.dat
or
http://maxvision.net/nav/exclude.dat

Note: This patch will reset all other exclusion settings to the default values. See Max Vision's bugtraq post (linked to in the 'credit' section) for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站