CVE-2004-0552
CVSS7.5
发布时间 :2004-11-03 00:00:00
修订时间 :2008-09-05 16:38:44
NMCOEPS    

[原文]Sophos Small Business Suite 1.00 on Windows does not properly handle files whose names contain reserved MS-DOS device names such as (1) LPT1, (2) COM1, (3) AUX, (4) CON, or (5) PRN, which can allow malicious code to bypass detection when it is installed, copied, or executed.


[CNNVD]Sophos Small Business Suite保留设备名处理漏洞(CNNVD-200411-012)

        
        Sophos Small Business Suite是一款针对小型用户的桌面和服务端防护病毒的解决方案。
        Sophos Small Business Suite在扫描保留MS-DOS设备时存在问题,远程攻击者可以利用这个漏洞绕过恶意代码检测。
        当尝试扫描以保留MS-DOS名命名的文件和目录时存在问题,这些设备名包括LPT1、COM1、AUX、CON、PRN等。如果恶意代码嵌入保留设备名,就可以绕过检测,如果恶意代码以保留设备名命名,也可以绕过Sophos的检测。
        利用这个漏洞可以使攻击者携带恶意程序到目标系统而不被发现。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0552
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0552
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-012
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/17468
(VENDOR_ADVISORY)  XF  sophos-business-security-bypass(17468)
http://www.seifried.org/security/advisories/kssa-005.html
(VENDOR_ADVISORY)  MISC  http://www.seifried.org/security/advisories/kssa-005.html
http://www.idefense.com/application/poi/display?id=143&type=vulnerabilities
(UNKNOWN)  IDEFENSE  20040922 Sophos Small Business Suite Reserved Device Name Handling Vulnerability

- 漏洞信息

Sophos Small Business Suite保留设备名处理漏洞
高危 设计错误
2004-11-03 00:00:00 2005-10-20 00:00:00
远程  
        
        Sophos Small Business Suite是一款针对小型用户的桌面和服务端防护病毒的解决方案。
        Sophos Small Business Suite在扫描保留MS-DOS设备时存在问题,远程攻击者可以利用这个漏洞绕过恶意代码检测。
        当尝试扫描以保留MS-DOS名命名的文件和目录时存在问题,这些设备名包括LPT1、COM1、AUX、CON、PRN等。如果恶意代码嵌入保留设备名,就可以绕过检测,如果恶意代码以保留设备名命名,也可以绕过Sophos的检测。
        利用这个漏洞可以使攻击者携带恶意程序到目标系统而不被发现。
        

- 公告与补丁

        厂商补丁:
        Sophos
        ------
        Sophos Anti-Virus 3.86版本包含此修正程序:
        
        http://www.sophos.com/

- 漏洞信息 (24623)

Sophos Anti-Virus 3.x Reserved MS-DOS Name Scan Evasion Vulnerability (EDBID:24623)
windows remote
2004-09-22 Verified
0 Kurt Seifried
N/A [点击下载]
source: http://www.securityfocus.com/bid/11236/info

Sophos Anti-Virus is affected by a reserved MS-DOS name virus scan evasion vulnerability. This issue is due to a design error that allows certain files to avoid being scanned.

An attacker may leverage this issue to bypass the scanner protection provided by the vulnerable anti-virus scanner, giving users a false sense of security. It is reported that this issue can be leveraged to bypass both file system and email virus scanners, allowing this issue to be exploited remotely.

copy source \\.\C:\aux		

- 漏洞信息 (F34463)

iDEFENSE Security Advisory 2004-09-22.t (PacketStormID:F34463)
2004-09-29 00:00:00
Kurt Seifried,iDefense Labs  idefense.com
advisory,remote
CVE-2004-0552
[点击下载]

iDEFENSE Security Advisory 09.22.04 - Remote exploitation of a design vulnerability in version 1.00 of Sophos Plc.'s Small Business Suite allows malicious code to evade detection.

Sophos Small Business Suite Reserved Device Name Handling Vulnerability

iDEFENSE Security Advisory 09.22.04
www.idefense.com/application/poi/display?id=143&type=vulnerabilities
September 22, 2004

I. BACKGROUND

Sophos Small Business Suite includes the Sophos PureMessage Small
Business Edition, combining virus and spam protection for the email
gateway, and Sophos Anti-Virus Small Business Edition, which offers
desktop and server defense against the virus threat.

II. DESCRIPTION

Remote exploitation of design vulnerability in version 1.00 of Sophos
Plc.'s Small Business Suite allows malicious code to evade detection.

The problem specifically exists in attempts to scan files and
directories named as reserved MS-DOS devices. These represent devices
such as the first printer port (LPT1) and the first serial communication
port (COM1). Sample reserved MS-DOS device names include AUX, CON, PRN,
COM1 and LPT1.

If malicious code embeds itself within a reserved device name, it can
avoid detection by Small Business Suite when the system is scanned.
Malicious code can also potentially use reserved device names to bypass
e-mail scanning, thereby potentially delivering hostile payloads to
users. Small Business Suite will scan the files and folders containing
the virus and fail to detect or report them. Real-time protection
against malicious code is also affected; if a malicious code is copied
from a file named using a reserved MS-DOS device name to another file
also named using a reserved MS-DOS device name, Small Business Suite
will not detect it.

It may also be possible for malicious code to execute without detection
from files named using reserved MS-DOS device name. Reserved device
names can be created with standard Windows utilities by specifying the
full Universal Naming Convention (UNC) path. The following command will
successfully copy a file to the reserved device name 'aux' on the C:\
drive:

copy source \\.\C:\aux

III. ANALYSIS

Exploitation allows remote attackers to launch malicious code that can
evade detection. Remote attackers can unpack or decode an otherwise
detected malicious payload in a stealth manner. Exploitation may allow
attackers to bypass e-mail filters, thereby increasing the propensity of
a target user executing a malicious attachment.

Files and directories using reserved MS-DOS device names can be removed
by specifying the full Universal Naming Convention (UNC) path. The
following command will successfully remove a file stored on the C:\
drive named 'aux':

del \\.\C:\aux

IV. DETECTION

Sophos Small Business Suite 1.00 is confirmed affected. Earlier versions
reportedly crash upon the parsing of files or directories employing
reserved MS-DOS device names.

V. WORKAROUND

Explicitly block file attachments that use reserved MS-DOS device names.
Ensure that no local files or directories using reserved MS-DOS device
names exist. On most modern Windows systems, reserved MS-DOS device
names should not be present. While the Windows search utility can be
used to locate offending files and directories, either a separate tool
or the specification of Universal Naming Convention (UNC) should be used
to remove them.

VI. VENDOR RESPONSE

"LPT1, LPT2, COM1 etc are reserved by the operating system for devices.
Despite this, Windows will allow these strings to be used as file names
and when such files are accessed, the operating system attempts to treat
them as devices rather than files except under the circumstances you
have outlined.

Although this vulnerability has never been exploited by a virus it could
be theoretically be used to contain viral code. Sophos has improved its
code within both its on-access and on-demand scanners to deal with these
improperly named files as files and not devices.

This improvement to Sophos Anti-Virus will be included in version 3.86
(available 22/09/04)."

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-0552 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/06/2004   Initial vendor notification
08/06/2004   iDEFENSE clients notified
08/09/2004   Initial vendor response
09/22/2004   Coordinated public disclosure

IX. CREDIT

Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

10225
Sophos Anti-Virus Reserved DOS Name Scan Failure
Loss of Integrity

- 漏洞描述

- 时间线

2004-09-22 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Sophos Anti-Virus Reserved MS-DOS Name Scan Evasion Vulnerability
Design Error 11236
Yes No
2004-09-22 12:00:00 2009-07-12 07:06:00
Kurt Seifried <kurt@seifried.org> is credited with this discovery.

- 受影响的程序版本

Sophos Small Business Suite 1.0
+ Sophos Anti-Virus 3.85
+ Sophos Anti-Virus 3.84
+ Sophos Anti-Virus 3.83
+ Sophos Anti-Virus 3.82
+ Sophos Anti-Virus 3.81
+ Sophos Anti-Virus 3.80
Sophos Anti-Virus 3.85
Sophos Anti-Virus 3.84
Sophos Anti-Virus 3.83
Sophos Anti-Virus 3.82
Sophos Anti-Virus 3.81
Sophos Anti-Virus 3.80
Sophos Anti-Virus 3.79
Sophos Anti-Virus 3.78 d
Sophos Anti-Virus 3.78
Sophos Anti-Virus 3.86

- 不受影响的程序版本

Sophos Anti-Virus 3.86

- 漏洞讨论

Sophos Anti-Virus is affected by a reserved MS-DOS name virus scan evasion vulnerability. This issue is due to a design error that allows certain files to avoid being scanned.

An attacker may leverage this issue to bypass the scanner protection provided by the vulnerable anti-virus scanner, giving users a false sense of security. It is reported that this issue can be leveraged to bypass both file system and email virus scanners, allowing this issue to be exploited remotely.

- 漏洞利用

No exploit is required to leverage this issue. Reportedly it is possible to change the name of a file to an MS-DOS reserved device file name using the following command (in this example, AUX is the target device name):

copy source \\.\C:\aux

- 解决方案

The vendor has reported that a new version of the affected software has been released. Please contact the vendor for information on obtaining the upgrade.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站