Kurt Seifried Security Advisory 005 (KSSA-005)

Created by Kurt Seifried, [email protected]

http://www.seifried.org/security/advisories/kssa-005.html, [email protected]

Version 1.0 – 1/10/2004


Title: MS-DOS Reserved Device Name Vulnerability In Sophos Anti-Virus

Multiple antivirus products, such as Sophos Small Business Suite antivirus fail to properly access and scan files and directories that use reserved MS-DOS device names. Sophos Small Business Suite antivirus on access scanner can also fail in some situations, allowing viruses to replicate.

CVE / CERT / BID / Other identifiers:

CVE: CAN-2004-0552

Issue date:

1/10/2004

Who should read this advisory:

Anyone using Sophos Small Business Suite antivirus, or other antivirus products that may be affected. Please note that not all antivirus products are vulnerable, however extensive testing has not yet been conducted against all available antivirus products (as there are several).

Author and contact info:

This advisory is copyright 2004, Kurt Seifried, [email protected], http://www.seifried.org/

Overview:

MS-DOS reserved device names are a hold over from the original days of Microsoft DOS. The reserved MS-DOS device names represent devices, such as lpt1 (the first printer port), com1 (the first serial communication port) and so on. These names are resered for devices, and normally files and directories cannot be named with these reserved names. Many products such as backup software and antivirus software do not deal properly with reserved MS-DOS device names.

Affected software:

Sophos Small Business Suite antivirus is confirmed vulnerable, other Sophos products are affected as well.

Impact:

A virus/trojan/malcode can avoid detection on a system normally protected by Sophos Small Business Suite antivirus. Sophos will stall (stops scanning) when it encounters an MS-DOS reserved device name directory containing an MS-DOS reserved filename. Backdoors and other spyware can avoid detection by using reserved MS-DOS device names. Additionally when certain filenames are used, such as “lpt1” and “prn” a virus can be copied without being detected by the on access scanner (read or write). Virus execution may be able to bypass real-time detection if it launches from an MS-DOS reserved device name.

Details:

On Windows 2000 and XP for example if you execute the command:

C:\> mkdir aux

You will receive the error message:

The directory name is invalid

However if you use a Universal Naming Convention (UNC) path name to create the directory Windows will allow it:

C:\> mkdir \\.\C:\aux

This also applies to copying and moving files that use reserved MS-DOS device names.

By placing the virus in a file that uses a reserved MS-DOS device name, or by placing the virus in a file that uses a reserved MS-DOS device name it is possible to avoid detection by Sophos Small Business Suite antivirus (and other products).

Take a copy of the eicar.com file (or another virus) and copy it into a reserved MS-DOS device name:

copy eicar.com \\.\C:\aux

Then attempt to scan the file, normally antivirus software would detect it immediately, however in this case it will not be detected.

If you right click on a file that uses a reserved MS-DOS device name that contains a virus and choose “Scan with Norton AntiVirus” it will fail, possibly with the error message

"Unable to open the file <file name>. The file is in use by another application or you don't have permission to open the file." (3019,2)

Sophos Small Business Suite antivirus appears to be most vulnerable to this problem during a full system scan, on demand scanning appears the least vulnerable (once the file is accessed it is usually detected) and right clicking on a directory has varrying degrees of success, from no detection to successful detection and removal. Sophos Small Business Suite antivirus appears vulnerable to reserved device names with and without extensions such as “.exe”.

Some MS-DOS reserved device name extensions include:

Testing was done on both Windows 2000 and XP with essentially the same results in all cases.

Solutions and workarounds:

Ensure that no directories or files using reserved MS-DOS device names are in use.

Additional information:

This vulnerability eixsts in a number of products, and more generic MS-DOS reserved device name issues exist in other software, ranging from the Apache HTTPD server on Windows to email clients and backup software.

References:

None

http://support.microsoft.com/default.aspx?scid=kb;en-us;103168

A note on eicar.com

Please note that although many people consider the “legitimate” eicar.com test virus should only be detected when it is in a file names eicar.com Sophos Small Business Suite antivirus will detect it regardless of the filename and extension.

History:

July 2004 – Vendor notified via iDEFENSE

Other acknowledgements / thanks / greetings / information:

None

URL for advisory, signature and keys:

http://www.seifried.org/security/advisories/kssa-005.html

http://www.seifried.org/security/advisories/kssa-005.html.asc




Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the bulletin is not edited or changed in any way, is attributed to Kurt Seifried [email protected], and provided such reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. Kurt Seifried [email protected] is not liable for any misuse of this information by any third party.


Last updated 1/10/2004

Copyright Kurt Seifried 2004