Vulnerability Development mailing list archives
NAV bugs!
From: Bipin Gautam <visitbipin () hotmail com>
Date: 7 Mar 2004 02:11:53 -0000
Subject: NAV bugs! Published: Friday, 05 March, 2004 Updated: 06-Mar-04 Discovered By: Bipin Gautam ( hUNT3R ) Product Version: Norton Antivirus 2002 [ ver: 8.00.58 ] (~Only tested On...~) Risk Impact: Low-Medium * * * Details: During a 'manual scan' of a folder, if Norton Antivirus (NAV) encounters a file /folder name with 'some' ASCII characters ( 1-31) NAV can't further proceed the manual scan and its front-end 'NAVW32.exe' crashes! This Bug has no impact in the NAV Auto-Protect Engine. Exploit 1). : Norton Antivirus 2002 fails to scan files with special character(s) properly. http://www.geocities.com/visitbipin/test_nav.zip Create a folder (say: '!' ) and put some sub-folders and files in it. The file/sub-folder name must contain ASCII character(s) ( 1-31) . Have a manual scan of the folder named '!' NAV can't proceed the scan and crashes! Exploit 2). : Norton Antivirus Auto-protect fails to stop a HOSTILE CODE... that is in the last sub dir. that windows OS can create! Run this batch script, first and make sure you have 95 sub-folders inside the folder named '----------------------------------------------------------------' in c:\ (root) =-------CUT----------= @echo off echo ( you can use, http://www.eicar.org/anti_virus_test_file.htm) echo for a harmless test... pause cd\ c: cd\ :hUNT3r md 1 cd 1 if not errorlevel 1 goto :hUNT3r :rename cd\ c: cd\ ren 1 ---------------------------------------------------------------- explorer c: exit =-------CUT----------= Now... drag/drop a trojan named 1.exe (that NAV recognises as a hostile program) to the 93'rd sub-folder and execute the program from there........ NAV-AUTO PROTECT is unable to scan/block the program & the trojan gets executed. [...THIS TECHNIQUE SHOULD WORK FOR SOME OTHER ANTIVIRUS PRODUCT TOO...] [NOTE]----------------------------------------------------------------------------------------> drag/drop the trojan code, in a scene...... FOR TEST PURPOSE you either temporarily disable your NAV and copy a trojan there and then enable NAV then and then execute the trojan . NAV is unable to scan/detect it as a virus...... when it gets executed! OR you create a blank file and / inject a hostile code named 1.* in the 93'rd sub directory....... and execute it! NAV IS UNABLE TO DETECT IT AS A VIRUS Ps: 93'rd directory is the last sub-folder that windows can create in the situation..... NOTE]----------------------------------------------------------------------------------------< Make sure the trojan/warm.exe just have a 1 character file-name! when it is executer from 93'rd sub directory! (...Last possible DIRECTORY where the file file can be copied!) Disclaimer: The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information.
Current thread:
- NAV bugs! Bipin Gautam (Mar 08)
- Re: NAV bugs! Said Boutejdir (Security List) (Mar 09)