Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:5870
HistoryMar 09, 2004 - 12:00 a.m.

NAV bugs!

2004-03-0900:00:00
vulners.com
9
JSON

Subject: NAV bugs!
Published: Friday, 05 March, 2004
Updated: 06-Mar-04
Discovered By: Bipin Gautam ( hUNT3R )
Product Version: Norton Antivirus 2002 [ ver: 8.00.58 ] (~Only tested On…~)
Risk Impact: Low-Medium

Details:
During a 'manual scan' of a folder, if Norton Antivirus (NAV) encounters a file /folder name with 'some' ASCII characters ( 1-31) NAV can't further proceed the manual scan and its front-end 'NAVW32.exe' crashes! This Bug has no impact in the NAV Auto-Protect Engine.
Exploit 1). : Norton Antivirus 2002 fails to scan files with special character(s) properly.
http://www.geocities.com/visitbipin/test_nav.zip
Create a folder (say: '!' ) and put some sub-folders and files in it. The file/sub-folder name must contain ASCII character(s) ( 1-31) . Have a manual scan of the folder named '!' NAV can't proceed the scan and crashes!
Exploit 2). : Norton Antivirus Auto-protect fails to stop a HOSTILE CODE… that is in the last sub dir. that windows OS can create!
Run this batch script, first and make sure you have 95 sub-folders inside the folder named '----------------------------------------------------------------' in c:\ (root)

=-------CUT----------=
@echo off
echo ( you can use, http://www.eicar.org/anti_virus_test_file.htm)
echo for a harmless test…
pause
cd\
c:
cd\
:hUNT3r
md 1
cd 1
if not errorlevel 1 goto :hUNT3r
:rename
cd\
c:
cd\
ren 1 ----------------------------------------------------------------
explorer c:
exit
=-------CUT----------=
Now… drag/drop a trojan named 1.exe (that NAV recognises as a hostile program) to the 93'rd sub-folder and execute the program from there… NAV-AUTO PROTECT is unable to scan/block the program & the trojan gets executed.
[…THIS TECHNIQUE SHOULD WORK FOR SOME OTHER ANTIVIRUS PRODUCT TOO…]

[NOTE]---------------------------------------------------------------------------------------->
drag/drop the trojan code, in a scene… FOR TEST PURPOSE you either temporarily disable your NAV and copy a trojan there and then enable NAV then and then execute the trojan . NAV is unable to scan/detect it as a virus… when it gets executed!
OR
you create a blank file and / inject a hostile code named 1.* in the 93'rd sub directory… and execute it! NAV IS UNABLE TO DETECT IT AS A VIRUS Ps: 93'rd directory is the last sub-folder that windows can create in the situation…
NOTE]----------------------------------------------------------------------------------------<
Make sure the trojan/warm.exe just have a 1 character file-name! when it is executer from 93'rd sub directory! (…Last possible DIRECTORY where the file file can be copied!)
Disclaimer: The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information.

Stay in touch better and keep protected online with MSN’s NEW all-in-one Premium Services. Find out more here.

JSON