Thread-topic: Path-conversion weakness in major AV products reported
http://isc.sans.org/diary.php?storyid=1335
Path-conversion weakness in major AV products reported (NEW)
Published: 2006-05-15,
Last Updated: 2006-05-15 23:39:57 UTC by George Bakos (Version: 1)
Juha-Matti Laurio was kind enough to put together this excellent summary
of a potentially sticky vulnerability:
Reportedly "there is a design flaw in the way that NTDLL performs path
conversion between DOS style path names and NT syle path names. Although
many attack vectors are possible, in this paper [see later] some proof
of concept cases are covered". "This issue occurs because the operating
system uses multiple differing algorithms to resolve file paths.
Attackers may exploit this issue to bypass security software such as
antivirus and antispyware products. Other attacks may also be
possible.", continues Symantec.
List about the affected products is located at
http://www.securityfocus.com/bid/17934/info
Some examples about products listed:
Norton AV, Kaspersky AV, AVG AV, Norman AV, Ad-Aware, Spybot
Search&Destroy and all Windows versions from NT4.0SP1 to Windows Server
2003 SP1.
A sample .bat file demonstrating this issue was also published at
http://www.securityfocus.com/data/vulnerabilities/exploits/17934 . bat
Note: I deliberately broke this link so that this story will make it
through subscribers' mail filters. Remove those spaces around the dot if
you wish to retrieve this. - gb
It appears that this issue is based to the following Bugtraq posting:
http://www.securityfocus.com/archive/1/433583
More details at this 48Bits.com PDF document:
http://www.48bits.com/advisories/rtldospath.pdf
- Juha-Matti
We at the ISC have verified this behavior and strongly advise that all
Windows users exercise "safe surfing" habits such as verifying
attachments before opening, not executing programs unless obtained from
a trusted source, etc. Also, you can hasten the update process by
staying on top of your A/V vendors support group. A partial list of
vulnerable products is contained in the advisory.