Bugtraq mailing list archives
RE: Long path exploit on NTFS
From: David Sexton <dave.sexton () sapphire net>
Date: Tue, 5 Feb 2002 09:14:06 -0000
Err.. I beg to differ: ---------------- SWEEP virus detection utility Version 3.54, Monday, February 04, 2002 Includes detection for 71830 viruses, trojans and worms Copyright © 1989, 2001, Sophos Plc, www.sophos.com Info: Immediate job started by xxxx at 8:57 on Tuesday, February 05, 2002 Items to be swept: "All Master Boot Sectors" Drive C: Sector 0 c:\temp\*.* and all subfolders Scanning options: Quick mode, excluding off-line files Sweeping: Disk 80 Cylinder 0 Head 0 Sector 1 Drive C: Sector 0 C:\TEMP\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12 34567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1 234567890\1234567890\1234567890\1234567890\1234567890\1234567890\123456789\1 234567890...\EICAR.TXT Virus: 'EICAR-AV-Test' detected in C:\TEMP\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\12345 6~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\ 123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\EICAR.TXT No action taken C:\TEMP\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12 34567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1 234567890\1234567890\1234567890\1234567890\1234567890\1234567890\123456789\1 234567890...\EICAR2.COM Virus: 'EICAR-AV-Test' detected in C:\TEMP\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\12345 6~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\ 123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\EICAR2.COM No action taken C:\TEMP\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12 34567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1 234567890\1234567890\1234567890\1234567890\1234567890\1234567890\123456789\t emp\1234567890...\EICAR.TXT Virus: 'EICAR-AV-Test' detected in C:\TEMP\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\12345 6~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\ 123456~1\123456~1\123456~1\123456~1\temp\123456~1\123456~1\123456~1\123456~1 \123456~1...\EICAR.TXT No action taken C:\TEMP\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12 34567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1 234567890\1234567890\1234567890\1234567890\1234567890\1234567890\123456789\t emp\1234567890...\EICAR3.COM Virus: 'EICAR-AV-Test' detected in C:\TEMP\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\12345 6~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\ 123456~1\123456~1\123456~1\123456~1\temp\123456~1\123456~1\123456~1\123456~1 \123456~1...\EICAR3.COM No action taken Info: Immediate job completed at 8:57 on Tuesday, February 05, 2002 11 items swept, 4 viruses detected, 0 errors ------- Sophos seems to truncate the paths for the sake of the report, but they are long (the second one exceeding 256 characters even when using the '~' notation. Those eicar files are still there from when I originally tested (with 3.53 [January's update]). Obviously explorer was unable to delete them. The platform tested was Win2000 SP2 (before and after the recent security roll-up patch). I have not tried NT4. Regards, Dave
-----Original Message----- From: Frank Heyne [SMTP:fh () rcs urz tu-dresden de] Sent: Monday, February 04, 2002 7:15 PM To: bugtraq () securityfocus com; hans.somers () hccnet nl Subject: Re: Long path exploit on NTFS On 4 Feb 2002, at 10:26, Hans Somers wrote:Not Vunerable: -------------- *1 Sophos Anti-Virus v3.53This is not true. According to my own tests, Sophos Anti-Virus v3.53 is unable to find virii in deeply nested NTFS subdirectories on NT 4. Frank Heyne
----------------------------------------------- Any opinions expressed in this message are those of the individual and not necessarily the company. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this message in error and that any use is strictly prohibited. Sapphire Technologies Ltd http://www.sapphire.net
Current thread:
- Re: Long path exploit on NTFS Hans Somers (Feb 04)
- Re: Long path exploit on NTFS Frank Heyne (Feb 04)
- <Possible follow-ups>
- RE: Long path exploit on NTFS Fleming, Diane (Feb 04)
- RE: Long path exploit on NTFS Didier Arenzana (Feb 06)
- RE: Long path exploit on NTFS David Sexton (Feb 06)
- Re: Long path exploit on NTFS Christophe Bousquet (Feb 06)
- RE: Long path exploit on NTFS Uidam, T (Tim) (Feb 06)
- RE: Long path exploit on NTFS Elan Hasson (Feb 08)
- RE: Long path exploit on NTFS David Korn (Feb 07)
- RE: Long path exploit on NTFS Frank Heyne (Feb 08)
- Long Path Exploit on NTFS Mark Ng (Feb 07)
- RE: Long path exploit on NTFS andy (Feb 08)