Public Vulnerability Reports

Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability

10.05.04

BACKGROUND

Symantec's Norton AntiVirus protects e-mail, instant messages and other
files by automatically removing viruses, worms and Trojan horses. More
information about the product is available from http://www.symantec.com.

DESCRIPTION

Remote exploitation of a design vulnerability in Norton
AntiVirus allows malicious code to evade detection.

The problem specifically exists in attempts to scan files and directories
named as reserved MS-DOS devices. Reserved MS-DOS device
names are a hold over from the original days of Microsoft DOS. The
reserved MS-DOS device names represent devices such as the first
printer port (LPT1) and the first serial communication port (COM1).
Sample reserved MS-DOS device names include AUX, CON, PRN,
COM1 and LPT1. If a virus stores itself in a reserved device name, it
can avoid detection by Norton AntiVirus when the system is scanned. 
Norton AntiVirus will scan the files and folders containing the virus
and fail to detect or report them. Reserved device names can be
created with standard Windows utilities by specifying the full Universal
Naming Convention path. The following command will successfully
copy a file to the reserved device name "aux" on the C: drive:

    copy source \.C:aux

ANALYSIS

Exploitation allows attackers to evade detection of malicious code.
Attackers can unpack or decode an otherwise detected malicious
payload in a stealthy manner.

DETECTION

iDEFENSE has confirmed the existence of this vulnerability in the
latest version of Norton AntiVirus. It is reported that earlier versions
crash upon parsing files or directories using reserved MS-DOS device
names.

WORKAROUND

Ensure that no local files or directories using reserved MS-DOS device
names exist. On most modern Windows systems, there should be no
reserved MS-DOS device names present. While the Windows search
utility can be used to locate offending files and directories, either a
seperate tool or the specification of Universal Naming Convention must
be used to remote them. The following command will successfully
remove a file stored on the C: drive named "aux":

    del \.C:aux

VENDOR RESPONSE

"Symantec engineers have developed a fix for this issue for Symantec
Norton AntiVirus 2004 that is currently available through LiveUpdate.
The fix is being incorporated into all other supported Symantec Norton
AntiVirus versions and will be available through LiveUpdate when fully
tested and released."

More information is available in Symantec Security Advisory SYM04-015.

CVE INFORMATION

The Common Vulnerabilities and Exposures project has assigned the
names CAN-2004-0920 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

DISCLOSURE TIMELINE

06/25/2004    iDEFENSE clients notified
06/29/2004    Initial vendor notification
06/30/2004    Initial vendor response
10/05/2004    Coordinated public disclosure

CREDIT

Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

LEGAL NOTICES

Copyright © 2004 Verisign, Inc.

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent
of iDEFENSE. If you wish to reprint the whole or any part of this alert
in any other medium other than electronically, please e-mail
customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information.
Use of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or reliance
on, this information.