Sophos Small Business Suite Reserved Device Name Handling Vulnerability iDEFENSE Security Advisory 09.22.04 www.idefense.com/application/poi/display?id=143&type=vulnerabilities September 22, 2004 I. BACKGROUND Sophos Small Business Suite includes the Sophos PureMessage Small Business Edition, combining virus and spam protection for the email gateway, and Sophos Anti-Virus Small Business Edition, which offers desktop and server defense against the virus threat. II. DESCRIPTION Remote exploitation of design vulnerability in version 1.00 of Sophos Plc.'s Small Business Suite allows malicious code to evade detection. The problem specifically exists in attempts to scan files and directories named as reserved MS-DOS devices. These represent devices such as the first printer port (LPT1) and the first serial communication port (COM1). Sample reserved MS-DOS device names include AUX, CON, PRN, COM1 and LPT1. If malicious code embeds itself within a reserved device name, it can avoid detection by Small Business Suite when the system is scanned. Malicious code can also potentially use reserved device names to bypass e-mail scanning, thereby potentially delivering hostile payloads to users. Small Business Suite will scan the files and folders containing the virus and fail to detect or report them. Real-time protection against malicious code is also affected; if a malicious code is copied from a file named using a reserved MS-DOS device name to another file also named using a reserved MS-DOS device name, Small Business Suite will not detect it. It may also be possible for malicious code to execute without detection from files named using reserved MS-DOS device name. Reserved device names can be created with standard Windows utilities by specifying the full Universal Naming Convention (UNC) path. The following command will successfully copy a file to the reserved device name 'aux' on the C:\ drive: copy source \\.\C:\aux III. ANALYSIS Exploitation allows remote attackers to launch malicious code that can evade detection. Remote attackers can unpack or decode an otherwise detected malicious payload in a stealth manner. Exploitation may allow attackers to bypass e-mail filters, thereby increasing the propensity of a target user executing a malicious attachment. Files and directories using reserved MS-DOS device names can be removed by specifying the full Universal Naming Convention (UNC) path. The following command will successfully remove a file stored on the C:\ drive named 'aux': del \\.\C:\aux IV. DETECTION Sophos Small Business Suite 1.00 is confirmed affected. Earlier versions reportedly crash upon the parsing of files or directories employing reserved MS-DOS device names. V. WORKAROUND Explicitly block file attachments that use reserved MS-DOS device names. Ensure that no local files or directories using reserved MS-DOS device names exist. On most modern Windows systems, reserved MS-DOS device names should not be present. While the Windows search utility can be used to locate offending files and directories, either a separate tool or the specification of Universal Naming Convention (UNC) should be used to remove them. VI. VENDOR RESPONSE "LPT1, LPT2, COM1 etc are reserved by the operating system for devices. Despite this, Windows will allow these strings to be used as file names and when such files are accessed, the operating system attempts to treat them as devices rather than files except under the circumstances you have outlined. Although this vulnerability has never been exploited by a virus it could be theoretically be used to contain viral code. Sophos has improved its code within both its on-access and on-demand scanners to deal with these improperly named files as files and not devices. This improvement to Sophos Anti-Virus will be included in version 3.86 (available 22/09/04)." VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-0552 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/06/2004 Initial vendor notification 08/06/2004 iDEFENSE clients notified 08/09/2004 Initial vendor response 09/22/2004 Coordinated public disclosure IX. CREDIT Kurt Seifried (kurt[at]seifried.org) is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.