Re: SECURITY.NNOV: special devices access in multiple archivers

["Juergen P. Meier" <bugtraq () jors net>]

On Fri, Aug 03, 2001 at 01:43:06PM +0200, Andreas Marx wrote:
> First we've created normal archives using a standard archivers (and normal 
> file names like "xul.exe"), but after the archive was created, we have 
> edited the files internally using a hex editor (change "x" to "n" - but be 
> careful, in ZIP files the fine name is included twice). You cannot add 
> names like "nul.exe" to an archive, of course, but you can change the name 

Thats not entirely true, you can easily add such files using other Operating
systems, that do not suffer from defective or braindead filename conventions.
Zip archiving tools are available for a wide variety of unix systems, which
allow creation and adding of files like NUL.EXE flawlessly ;)

This also allows for archive formats that eigther do not store the
filename in uncompressed plain areas or have checksums protect the
integrity of the archive file. (tar+gzip for example)

On Unix one can also cause the archiving tools to store relative Pathnames,
without need to use hex editors.

> inside of the archives easily, if the length of the name will still be the 
> same. You can do this for both "nul.exe" or for additional "../"'s for 
> paths like "../../test.exe". (Btw, we have used the Volkow Commander (DOS), 
> not a "real" hex editor. :) )

[testing]
The testing of Windows based Antivirus products has to be done within
windows. Although i would run them inside vmware or similar virtual boxen.

Did you also test Unix based virus scanners? there are quite a few AV
Products that have scanners running on Unix.

> I hope, this helps to understand the test procedures better.

Yes, thank you ;)
 
> cheers,
> Andreas Marx

-- 
Juergen P. Meier