ID CVE-2004-0552 Type cve Reporter cve@mitre.org Modified 2017-07-11T01:30:00
Description
Sophos Small Business Suite 1.00 on Windows does not properly handle files whose names contain reserved MS-DOS device names such as (1) LPT1, (2) COM1, (3) AUX, (4) CON, or (5) PRN, which can allow malicious code to bypass detection when it is installed, copied, or executed.
{"osvdb": [{"lastseen": "2017-04-28T13:20:05", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nVendor URL: http://www.sophos.com/\nSecurity Tracker: 1011387\n[Secunia Advisory ID:12622](https://secuniaresearch.flexerasoftware.com/advisories/12622/)\nOther Advisory URL: http://www.idefense.com/application/poi/display?id=143&type=vulnerabilities\n[CVE-2004-0552](https://vulners.com/cve/CVE-2004-0552)\n", "modified": "2004-09-22T00:00:00", "published": "2004-09-22T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:10225", "id": "OSVDB:10225", "type": "osvdb", "title": "Sophos Anti-Virus Reserved DOS Name Scan Failure", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "description": "Sophos Small Business Suite Reserved Device Name Handling Vulnerability\r\n\r\niDEFENSE Security Advisory 09.22.04\r\nwww.idefense.com/application/poi/display?id=143&type=vulnerabilities\r\nSeptember 22, 2004\r\n\r\nI. BACKGROUND\r\n\r\nSophos Small Business Suite includes the Sophos PureMessage Small\r\nBusiness Edition, combining virus and spam protection for the email\r\ngateway, and Sophos Anti-Virus Small Business Edition, which offers\r\ndesktop and server defense against the virus threat.\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of design vulnerability in version 1.00 of Sophos\r\nPlc.'s Small Business Suite allows malicious code to evade detection.\r\n\r\nThe problem specifically exists in attempts to scan files and\r\ndirectories named as reserved MS-DOS devices. These represent devices\r\nsuch as the first printer port (LPT1) and the first serial communication\r\nport (COM1). Sample reserved MS-DOS device names include AUX, CON, PRN,\r\nCOM1 and LPT1.\r\n\r\nIf malicious code embeds itself within a reserved device name, it can\r\navoid detection by Small Business Suite when the system is scanned.\r\nMalicious code can also potentially use reserved device names to bypass\r\ne-mail scanning, thereby potentially delivering hostile payloads to\r\nusers. Small Business Suite will scan the files and folders containing\r\nthe virus and fail to detect or report them. Real-time protection\r\nagainst malicious code is also affected; if a malicious code is copied\r\nfrom a file named using a reserved MS-DOS device name to another file\r\nalso named using a reserved MS-DOS device name, Small Business Suite\r\nwill not detect it.\r\n\r\nIt may also be possible for malicious code to execute without detection\r\nfrom files named using reserved MS-DOS device name. Reserved device\r\nnames can be created with standard Windows utilities by specifying the\r\nfull Universal Naming Convention (UNC) path. The following command will\r\nsuccessfully copy a file to the reserved device name 'aux' on the C:\\r\ndrive:\r\n\r\ncopy source \\.\C:\aux\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation allows remote attackers to launch malicious code that can\r\nevade detection. Remote attackers can unpack or decode an otherwise\r\ndetected malicious payload in a stealth manner. Exploitation may allow\r\nattackers to bypass e-mail filters, thereby increasing the propensity of\r\na target user executing a malicious attachment.\r\n\r\nFiles and directories using reserved MS-DOS device names can be removed\r\nby specifying the full Universal Naming Convention (UNC) path. The\r\nfollowing command will successfully remove a file stored on the C:\\r\ndrive named 'aux':\r\n\r\ndel \\.\C:\aux\r\n\r\nIV. DETECTION\r\n\r\nSophos Small Business Suite 1.00 is confirmed affected. Earlier versions\r\nreportedly crash upon the parsing of files or directories employing\r\nreserved MS-DOS device names.\r\n\r\nV. WORKAROUND\r\n\r\nExplicitly block file attachments that use reserved MS-DOS device names.\r\nEnsure that no local files or directories using reserved MS-DOS device\r\nnames exist. On most modern Windows systems, reserved MS-DOS device\r\nnames should not be present. While the Windows search utility can be\r\nused to locate offending files and directories, either a separate tool\r\nor the specification of Universal Naming Convention (UNC) should be used\r\nto remove them.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\n"LPT1, LPT2, COM1 etc are reserved by the operating system for devices.\r\nDespite this, Windows will allow these strings to be used as file names\r\nand when such files are accessed, the operating system attempts to treat\r\nthem as devices rather than files except under the circumstances you\r\nhave outlined.\r\n\r\nAlthough this vulnerability has never been exploited by a virus it could\r\nbe theoretically be used to contain viral code. Sophos has improved its\r\ncode within both its on-access and on-demand scanners to deal with these\r\nimproperly named files as files and not devices.\r\n\r\nThis improvement to Sophos Anti-Virus will be included in version 3.86\r\n(available 22/09/04)."\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nnames CAN-2004-0552 to these issues. This is a candidate for inclusion\r\nin the CVE list (http://cve.mitre.org), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n08/06/2004 Initial vendor notification\r\n08/06/2004 iDEFENSE clients notified\r\n08/09/2004 Initial vendor response\r\n09/22/2004 Coordinated public disclosure\r\n\r\nIX. CREDIT\r\n\r\nKurt Seifried (kurt[at]seifried.org) is credited with this discovery.\r\n\r\nGet paid for vulnerability research\r\nhttp://www.idefense.com/poi/teams/vcp.jsp\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright (c) 2004 iDEFENSE, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDEFENSE. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically, please\r\nemail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\nThere are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct, indirect,\r\nor consequential loss or damage arising from use of, or reliance on,\r\nthis information.", "modified": "2004-09-27T00:00:00", "published": "2004-09-27T00:00:00", "id": "SECURITYVULNS:DOC:6857", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6857", "title": "iDEFENSE Security Advisory 09.22.04 - Sophos Small Business Suite Reserved Device Name Handling Vulnerability", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-02T23:39:59", "bulletinFamily": "exploit", "description": "Sophos Anti-Virus 3.x Reserved MS-DOS Name Scan Evasion Vulnerability. CVE-2004-0552. Remote exploit for windows platform", "modified": "2004-09-22T00:00:00", "published": "2004-09-22T00:00:00", "id": "EDB-ID:24623", "href": "https://www.exploit-db.com/exploits/24623/", "type": "exploitdb", "title": "Sophos Anti-Virus 3.x - Reserved MS-DOS Name Scan Evasion Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/11236/info\r\n\r\nSophos Anti-Virus is affected by a reserved MS-DOS name virus scan evasion vulnerability. This issue is due to a design error that allows certain files to avoid being scanned.\r\n\r\nAn attacker may leverage this issue to bypass the scanner protection provided by the vulnerable anti-virus scanner, giving users a false sense of security. It is reported that this issue can be leveraged to bypass both file system and email virus scanners, allowing this issue to be exploited remotely.\r\n\r\ncopy source \\\\.\\C:\\aux", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/24623/"}]}
