Sophos Small Business Suite Reserved Device Name Handling Vulnerability

iDEFENSE Security Advisory 09.22.04
www.idefense.com/application/poi/display?id=143&type=vulnerabilities
September 22, 2004

I. BACKGROUND

Sophos Small Business Suite includes the Sophos PureMessage Small
Business Edition, combining virus and spam protection for the email
gateway, and Sophos Anti-Virus Small Business Edition, which offers
desktop and server defense against the virus threat.

II. DESCRIPTION

Remote exploitation of design vulnerability in version 1.00 of Sophos
Plc.'s Small Business Suite allows malicious code to evade detection.

The problem specifically exists in attempts to scan files and
directories named as reserved MS-DOS devices. These represent devices
such as the first printer port (LPT1) and the first serial communication
port (COM1). Sample reserved MS-DOS device names include AUX, CON, PRN,
COM1 and LPT1.

If malicious code embeds itself within a reserved device name, it can
avoid detection by Small Business Suite when the system is scanned.
Malicious code can also potentially use reserved device names to bypass
e-mail scanning, thereby potentially delivering hostile payloads to
users. Small Business Suite will scan the files and folders containing
the virus and fail to detect or report them. Real-time protection
against malicious code is also affected; if a malicious code is copied
from a file named using a reserved MS-DOS device name to another file
also named using a reserved MS-DOS device name, Small Business Suite
will not detect it.

It may also be possible for malicious code to execute without detection
from files named using reserved MS-DOS device name. Reserved device
names can be created with standard Windows utilities by specifying the
full Universal Naming Convention (UNC) path. The following command will
successfully copy a file to the reserved device name 'aux' on the C:\
drive:

copy source \\.\C:\aux

III. ANALYSIS

Exploitation allows remote attackers to launch malicious code that can
evade detection. Remote attackers can unpack or decode an otherwise
detected malicious payload in a stealth manner. Exploitation may allow
attackers to bypass e-mail filters, thereby increasing the propensity of
a target user executing a malicious attachment.

Files and directories using reserved MS-DOS device names can be removed
by specifying the full Universal Naming Convention (UNC) path. The
following command will successfully remove a file stored on the C:\
drive named 'aux':

del \\.\C:\aux

IV. DETECTION

Sophos Small Business Suite 1.00 is confirmed affected. Earlier versions
reportedly crash upon the parsing of files or directories employing
reserved MS-DOS device names.

V. WORKAROUND

Explicitly block file attachments that use reserved MS-DOS device names.
Ensure that no local files or directories using reserved MS-DOS device
names exist. On most modern Windows systems, reserved MS-DOS device
names should not be present. While the Windows search utility can be
used to locate offending files and directories, either a separate tool
or the specification of Universal Naming Convention (UNC) should be used
to remove them.

VI. VENDOR RESPONSE

"LPT1, LPT2, COM1 etc are reserved by the operating system for devices.
Despite this, Windows will allow these strings to be used as file names
and when such files are accessed, the operating system attempts to treat
them as devices rather than files except under the circumstances you
have outlined.

Although this vulnerability has never been exploited by a virus it could
be theoretically be used to contain viral code. Sophos has improved its
code within both its on-access and on-demand scanners to deal with these
improperly named files as files and not devices.

This improvement to Sophos Anti-Virus will be included in version 3.86
(available 22/09/04)."

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-0552 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/06/2004   Initial vendor notification
08/06/2004   iDEFENSE clients notified
08/09/2004   Initial vendor response
09/22/2004   Coordinated public disclosure

IX. CREDIT

Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.