OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Andreas Marx (amarxgega-it.de)
Date: Fri Aug 10 2001 - 12:07:03 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    >Thats not entirely true, you can easily add such files using other Operating
    >systems, that do not suffer from defective or braindead filename conventions.
    >Zip archiving tools are available for a wide variety of unix systems, which
    >allow creation and adding of files like NUL.EXE flawlessly ;)

    OK, yes, you can add such files under Linux, for example. However, there is
    no solution (as far as I know) to add files like "../../test.exe", right?
    Paths with "normal" subdirs causes no problems (neither under Windows nor
    other OS). That was the major reason why we used a disk editor and not
    simply Linux.

    >The testing of Windows based Antivirus products has to be done within
    >windows. Although i would run them inside vmware or similar virtual boxen.

    We used plain vanilla windows (why vmware?).

    >Did you also test Unix based virus scanners? there are quite a few AV
    >Products that have scanners running on Unix.

    This was the reason why my answer is late - after we found that the desktop
    products passed the test very well, we tried Linux-based products as well
    as Notes (NT) and Exchange products (NT) - together 23 different. In the
    default configuration, no program we have tested was vulnerable. Only in
    some special cases (very unlikely, but possible) and only in "integrated"
    products (all tested av-only software works fine) that uses external
    archivers the ".." bug exists.

    This is really critical, but we have notified the producers and I'll post
    more info's about this issue when a fix is released. Again: This bug can be
    exploited only in very, very unlikely situations. (It's not a useful
    configuration at all.)

    But it is possible - and this is a really dangerous issue, since the
    programs with this problems runs at root or system service with admin
    rights... (even the extraction programs) - it's trivial to replace a file
    on the server ( /etc/passwd or /etc/shadow as well as win.ini) for example
    - to get root or change (overwrite) the configuration of the programs.

    An advisory will be released some days after the bugs were fixed - I expect
    it next week.

    cheers,
    Andreas

    NEW: Notes 4/5 + Exchange 5.5/2000 AV Test -> http://www.av-test.org 

    -- 
Andreas Marx <amarxgega-it.de>, http://www.av-test.de
GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany
Tel: 0391/6075466, Mobil: 0177/6133033, Fax: 0391/6075469