Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability

iDEFENSE Security Advisory 10.05.04b:
www.idefense.com/application/poi/display?id=147&type=vulnerabilities
October 5, 2004

I. BACKGROUND

Symantec's Norton AntiVirus protects email, instant messages, and other
files by automatically removing viruses, worms, and Trojan horses. More
information about the product is available from http://www.symantec.com

II. DESCRIPTION

Remote exploitation of design vulnerability in Symantec's Norton
AntiVirus allows malicious code to evade detection.

The problem specifically exists in attempts to scan files and
directories named as reserved MS-DOS devices. Reserved MS-DOS device
names are a hold over from the original days of Microsoft DOS. The
reserved MS-DOS device names represent devices such as the first printer
port (LPT1) and the first serial communication port (COM1). Sample
reserved MS-DOS device names include AUX, CON, PRN, COM1 and LPT1. If a
virus stores itself in a reserved device name it can avoid detection by
Symantec Norton AntiVirus when the system is scanned. Symantec Norton
AntiVirus will scan the files and folders containing the virus and fail
to detect or report them. reserved device names can be creating with
standard Windows utilities by specifying the full Universal Naming
Convention (UNC) path. The following command will successfully copy a
file to the reserved device name 'aux' on the C:\ drive:

    copy source \\.\C:\aux

III. ANALYSIS

Exploitation allows attackers to evade detection of malicious code.
Attackers can unpack or decode an otherwise detected malicious payload
in a stealth manner.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in the latest
version of Norton AntiVirus. It is reported that earlier versions crash
upon parsing files or directories using reserved MS-DOS device names.

V. WORKAROUND

Ensure that no local files or directories using reserved MS-DOS device
names exist. On most modern Windows systems there should be no reserved
MS-DOS device names present. While the Windows search utility can be
used to locate offending files and directories, either a seperate tool
or the specification of Universal Naming Convention (UNC) must be used
to remote them. The following command will successfully remove a file
stored on the C:\ drive named 'aux':

    del \\.\C:\aux

VI. VENDOR RESPONSE

"Symantec engineers have developed a fix for this issue for Symantec
Norton AntiVirus 2004 that is currently available through LiveUpdate.
The fix is being incorporated into all other supported Symantec Norton
AntiVirus versions and will be available through LiveUpdate when fully
tested and released."

More information is available in Symantec Security Advisory SYM04-015.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-0920 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

05/12/2004   Vulnerability acquired by iDEFENSE
06/25/2004   iDEFENSE clients notified
06/29/2004   Initial vendor notification
06/30/2004   Initial vendor response
10/05/2004   Coordinated public disclosure

IX. CREDIT

Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.