Created by Kurt Seifried, [email protected]
http://seifried.org/security/advisories/kssa-010.html, [email protected]
Version 1.0 – 01/10/2004
Title: MS-DOS Reserved Device Name Vulnerability In Symantec Norton Anti-Virus
Multiple antivirus products, such as Symantec Norton AntiVirus 9.05.15 fail to properly access and scan files and directories that use reserved MS-DOS device names.
CVE / CERT / BID / Other identifiers:
CVE: CAN-2004-0920
Issue date:
1/10/2004
Who should read this advisory:
Anyone using Symantec Norton AntiVirus, or other antivirus products that may be affected. Please note that not all antivirus products are vulnerable, however extensive testing has not yet been conducted against all available antivirus products (as there are several dozen).
Author and contact info:
This advisory is copyright 2004, Kurt Seifried, [email protected], http://www.seifried.org/
Overview:
MS-DOS reserved device names are a hold over from the original days of Microsoft DOS. The reserved MS-DOS device names represent devices, such as “lpt1” (the first printer port), “com1” (the first serial communication port) and so on. These names are reserved for devices, and normally files and directories cannot be named with these reserved names. Many products such as backup software and antivirus software do not deal properly with reserved MS-DOS device names. Please note that these reserved names can also have extensions such as “.exe”, with such extensions the same problems occur in most cases.
Affected software:
Symantec Norton AntiVirus 2003 and 2004 are confirmed vulnerable, other Symantec products are affected as well.
Impact:
A virus/trojan/malcode can avoid detection on a system normally protected by Symantec Norton AntiVirus. Back doors and other spyware can avoid detection by using reserved MS-DOS device names. During full system scans Symantec Norton AntiVirus will not detect known viruses, informing the user that no viruses are present.
Details:
On Windows 2000 and XP for example if you execute the command:
C:\> mkdir prn
You will receive the error message:
The directory name is invalid
However if you use a Universal Naming Convention (UNC) path name to create the directory Windows will allow it:
C:\> mkdir \\.\C:\prn
This also applies to copying and moving files that use reserved MS-DOS device names.
By placing the virus in a file that uses a reserved MS-DOS device name, or by placing the virus in a file that uses a reserved MS-DOS device name it is possible to avoid detection by Symantec Norton AntiVirus (and other products).
Take a copy of the eicar.com file (or another virus) and copy it into a reserved MS-DOS device name:
copy eicar.com \\.\C:\prn
Then attempt to scan the file, normally antivirus software would detect it immediately, however in this case it will not be detected.
If you right click on a file that uses a reserved MS-DOS device name that contains a virus and choose “Scan with Norton AntiVirus” it will fail, possibly with the error message
"Unable to open the file <file name>. The file is in use by another application or you don't have permission to open the file." (3019,2)
Symantec Norton AntiVirus appears to have particular problems with “prn” and “lpt1”, in some cases the scanner will detect and remove other filenames such as “lpt2”, “lpt3” and “com1”.
Symantec Norton AntiVirus appears to be most vulnerable to this problem during a full system scan, on demand scanning appears the least vulnerable (once the file is accessed it is usually detected) and right clicking on a directory has varrying degrees of success, from no detection to successful detection and removal. Symantec Norton AntiVirus appears vulnerable to reserved device names with and without extensions such as “.exe”.
|
File name / Action |
System scan |
Scan directory |
File Access / On demand |
|---|---|---|---|
|
D:\eicar.com |
Yes |
Yes |
Yes |
|
D:\prn |
|
|
Yes |
|
D:\prn.exe |
|
|
Yes |
|
D:\prn\eicar.com |
|
No |
Yes |
|
D:\prn\prn |
|
No |
Yes |
|
D:\prn\prn.exe |
|
No |
Yes |
Some examples of MS-DOS reserved device names include:
aux
com1
com2
com3
com4
com5
com6
com7
com8
com9
con
lpt1
lpt2
lpt3
lpt4
lpt5
lpt6
lpt7
lpt8
lpt9
prn
Testing was done on both Windows 2000 and XP with essentially the same results in all cases.
Solutions and workarounds:
Ensure that no directories or files using reserved MS-DOS device names are in use.
Additional information:
This vulnerability eixsts in a number of products, and more generic MS-DOS reserved device name issues exist in other software, ranging from the Apache HTTPD server on Windows to email clients and backup software.
References:
None
http://support.microsoft.com/default.aspx?scid=kb;en-us;103168
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2003061214465806?OpenDocument&src=_mi
A note on eicar.com
Please note that although many people consider the “legitimate” eicar.com test virus should only be detected when it is in a file names eicar.com Norton AntiVirus will detect it regardless of the filename and extension.
History:
June 2004 – Vendor notified via iDEFENSE
Other acknowledgements / thanks / greetings / information:
None
URL for advisory, signature and keys:
http://seifried.org/security/advisories/kssa-010.html
http://seifried.org/security/advisories/kssa-010.html.asc
Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the bulletin is not edited or changed in any way, is attributed to Kurt Seifried [email protected], and provided such reproduction and/or distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. Kurt Seifried [email protected] is not liable for any misuse of this information by any third party.
Last updated 1/10/2004
Copyright Kurt Seifried 2004