January 31st, 2002, 03:19 PM
Norton AntiVirus & NTFS Long pathname exploit
This was posted to bugtraq by Hans Somers on Jan 30th:
Long path exploit on NTFS
The filesystem NTFS seems to be a hiding place for virusses if you use a file path which exceeds 256 charaters.
What is the case?
The filepath (drive + folderpath + filename) theoraticly can take up to 32000 charaters if the filesystem in use is NTFS. However, the way in wich Windows NT (4.0, 2000 and XP) access this filesystem a maximum of 256 characters is in place. If you try to go deeper, you will experience a "Path too long" error. In these Operating System there is a way to substitute a long folderpath, using the "SUBST" command. If you change your current drive to the substituted drive, the pathlength is reset to 3 (Q:\ e.g.) and Windows NT allows you to create an even deeper path.
Normally this would not alarm anyone, however, i discovered that my favorite virusscanner (Norton AntiVirus) was not able to follow the deep path where i created the EICAR-test string. So i created a very simple batchfile to demonstrate this exploit. My virusscanner will only find this virus is the SUBST drive is availible during the scan.
I have tested this on the following platforms:
Windows NT 4.0 SP4
Windows NT 4.0 SP6a
Windows 2000 Professional SP2
Windows XP Pro
I have determined that the following versions of Norton AntiVirus will not follow the deep path during a complete scan:
Norton AntiVirus 5.0
Norton AntiVirus 7.5.1
Norton Antivirus 8.00.58
I suspect that other virusscanners will encounter the same "bug" so you
might try the sample script that i created. Additionally, other tools (quotamanagers,
inventory tools etc) that gather information from a NTFS partition might reveal the same
After running the script below, remove the substituted drive (SUBST Q: /D) and run a full scan on your C-partition. I suspect that the Eicar-virus will not be found.
Additionally, re-create the substituted drive and re-run the scan. Under normal conditions
the Eicar-virus will be found and removed (depending on your settings).
As far as i can see, there is no real remedy against this exploit. I hope this message will pass through the proper channels, so the responsible parties will act on this.
Responses on this posting at my address are welcome.
Hans Somers (firstname.lastname@example.org)
echo Start test-script NTFS-limit
@echo Create a filepath to the limit of NTFS
@echo Create the Eicar test-string for PoC. This should be detected
normally if you
have an active virusscanner.
echo X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >EICAR.TXT
@echo Activate the Eicar test-string
copy EICAR.TXT EICAR1.COM >NUL
@echo Create a subst-drive Q: for this path
@echo Create e even deeper filepath (thus exceeding the limit of NTFS's
@echo Change current folder into "the deep"
@echo Create the Eicar test-string
@echo Activate the Eicar test-string
copy EICAR.TXT EICAR2.COM >NUL
echo End of test-script
I'd like to reiterate that these are not my findings, I'm merely passing the information on to these forums.
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
January 31st, 2002, 03:30 PM
It seems Symantec may have already fixed this exposure in it's NAVCE 7.51 Build 54. The following is quoted from their Platinum Support site.
"Long Path names
Symptom: Files and Folders with full path names longer than 259 characters would not be scanned, and no error was generated. In some cases, the client or server would crash.
Solution: Additional error checking was added to detect these file names, log the error in the NAV and NT Event Logs (Scan Omission) and to ignore the scanning of the file to prevent crashes."