CVE-2004-0920
CVSS5.0
发布时间 :2004-11-03 00:00:00
修订时间 :2008-09-05 16:39:47
NMCOPS    

[原文]Symantec Norton AntiVirus 2004, and earlier versions, allows a virus or other malicious code to avoid detection or cause a denial of service (application crash) using a filename containing an MS-DOS device name.


[CNNVD]Symantec Norton防病毒软件保留设备名处理漏洞(CNNVD-200411-016)

        
        Symantec Norton AntiVirus是一款功能强大的反病毒程序。
        Symantec Norton AntiVirus在处理保留设备名时存在问题,远程攻击者可以利用这个漏洞绕过恶意代码检查。
        问题存在于扫描使用MS-DOS保留设备的文件和目录时,如果病毒把自己保存在保留设备名中,当系统使用Symantec Norton AntiVirus扫描时,可逃避检查。攻击者可以使用标准Windows工具指定UNC路径来创建保留设备名,如:
        copy source \\.\C:\aux
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0920
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0920
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-016
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/17603
(VENDOR_ADVISORY)  XF  nav-antivirus-security-bypass(17603)
http://www.seifried.org/security/advisories/kssa-010.html
(UNKNOWN)  MISC  http://www.seifried.org/security/advisories/kssa-010.html
http://www.idefense.com/application/poi/display?id=147&type=vulnerabilities
(UNKNOWN)  IDEFENSE  20041005 Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability

- 漏洞信息

Symantec Norton防病毒软件保留设备名处理漏洞
中危 设计错误
2004-11-03 00:00:00 2005-10-20 00:00:00
远程  
        
        Symantec Norton AntiVirus是一款功能强大的反病毒程序。
        Symantec Norton AntiVirus在处理保留设备名时存在问题,远程攻击者可以利用这个漏洞绕过恶意代码检查。
        问题存在于扫描使用MS-DOS保留设备的文件和目录时,如果病毒把自己保存在保留设备名中,当系统使用Symantec Norton AntiVirus扫描时,可逃避检查。攻击者可以使用标准Windows工具指定UNC路径来创建保留设备名,如:
        copy source \\.\C:\aux
        

- 公告与补丁

        厂商补丁:
        Symantec
        --------
        使用 Symantec Norton LiveUpdate进行升级:
        
        http://www.symantec.com

- 漏洞信息 (F34591)

iDEFENSE Security Advisory 2004-10-05.b (PacketStormID:F34591)
2004-10-13 00:00:00
iDefense Labs  idefense.com
advisory,remote
CVE-2004-0920
[点击下载]

iDEFENSE Security Advisory 10.05.04b - Remote exploitation of design vulnerability in Symantec's Norton AntiVirus allows malicious code to evade detection.

Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability

iDEFENSE Security Advisory 10.05.04b:
www.idefense.com/application/poi/display?id=147&type=vulnerabilities
October 5, 2004

I. BACKGROUND

Symantec's Norton AntiVirus protects email, instant messages, and other
files by automatically removing viruses, worms, and Trojan horses. More
information about the product is available from http://www.symantec.com

II. DESCRIPTION

Remote exploitation of design vulnerability in Symantec's Norton
AntiVirus allows malicious code to evade detection.

The problem specifically exists in attempts to scan files and
directories named as reserved MS-DOS devices. Reserved MS-DOS device
names are a hold over from the original days of Microsoft DOS. The
reserved MS-DOS device names represent devices such as the first printer
port (LPT1) and the first serial communication port (COM1). Sample
reserved MS-DOS device names include AUX, CON, PRN, COM1 and LPT1. If a
virus stores itself in a reserved device name it can avoid detection by
Symantec Norton AntiVirus when the system is scanned. Symantec Norton
AntiVirus will scan the files and folders containing the virus and fail
to detect or report them. reserved device names can be creating with
standard Windows utilities by specifying the full Universal Naming
Convention (UNC) path. The following command will successfully copy a
file to the reserved device name 'aux' on the C:\ drive:

    copy source \\.\C:\aux

III. ANALYSIS

Exploitation allows attackers to evade detection of malicious code.
Attackers can unpack or decode an otherwise detected malicious payload
in a stealth manner.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in the latest
version of Norton AntiVirus. It is reported that earlier versions crash
upon parsing files or directories using reserved MS-DOS device names.

V. WORKAROUND

Ensure that no local files or directories using reserved MS-DOS device
names exist. On most modern Windows systems there should be no reserved
MS-DOS device names present. While the Windows search utility can be
used to locate offending files and directories, either a seperate tool
or the specification of Universal Naming Convention (UNC) must be used
to remote them. The following command will successfully remove a file
stored on the C:\ drive named 'aux':

    del \\.\C:\aux

VI. VENDOR RESPONSE

"Symantec engineers have developed a fix for this issue for Symantec
Norton AntiVirus 2004 that is currently available through LiveUpdate.
The fix is being incorporated into all other supported Symantec Norton
AntiVirus versions and will be available through LiveUpdate when fully
tested and released."

More information is available in Symantec Security Advisory SYM04-015.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-0920 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

05/12/2004   Vulnerability acquired by iDEFENSE
06/25/2004   iDEFENSE clients notified
06/29/2004   Initial vendor notification
06/30/2004   Initial vendor response
10/05/2004   Coordinated public disclosure

IX. CREDIT

Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
    

- 漏洞信息

10509
Multiple Anti-Virus MS-DOS Device Name Scan Bypass
Local Access Required Other
Impact Unknown
Exploit Public Vendor Verified

- 漏洞描述

Norton AntiVirus contains a flaw that may allow malicious files to bypass scanning. The issue is triggered when malware uses a MS-DOS Device based name such as AUX, CON, PRN, COM1 and LPT1. It is possible that the flaw may allow malware to evade scans resulting in a loss of integrity.

- 时间线

2004-10-05 2004-06-25
2004-10-05 2004-10-05

- 解决方案

Symantec has released a patch to address this vulnerability available via LiveUpdate. Furthermore, it is possible to correct the flaw by implementing the following workaround: 1.) Ensure that no local files or directories using reserved MS-DOS device names exist 2.) Use 'del \.\C:\aux' to delete those files if they exist (e.g. aux)

- 相关参考

- 漏洞作者

- 漏洞信息

Symantec Norton AntiVirus MS-DOS Name Scan Evasion Vulnerability
Design Error 11328
Yes No
2004-10-05 12:00:00 2009-07-12 07:06:00
Discovery is credited to Kurt Seifried.

- 受影响的程序版本

Symantec Norton AntiVirus 2005 Professional Edition
Symantec Norton AntiVirus 2005
Symantec Norton AntiVirus 2004 Professional Edition
Symantec Norton AntiVirus 2004
Symantec Norton AntiVirus 2003 Professional Edition
Symantec Norton Antivirus 2003 0
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional

- 漏洞讨论

Norton AntiVirus is affected by a scan evasion vulnerability when handling files with MS-DOS reserve device names. This issue is due to a design error that allows the files to avoid being scanned. It should be noted that this vulnerability only arises once the file is already present on a vulnerable computer. All Norton AntiVirus products are able to detect malicious files through incoming email.

- 漏洞利用

An exploit is not required to leverage this issue.

- 解决方案

Symantec has released fixes to address this issue. Customers may download updates through Symantec LiveUpdate. Further information is available in the Symantec advisory specified in Web references.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站