Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 1 Dec 2012 21:58:43 +0100
From: Timo Warns <Warns@...-Sense.DE>
To: oss-security@...ts.openwall.com
Subject: CVE request: TSK misrepresents "." files on FAT filesystems

The Sleuth Kit misrepresents files named "." on FAT filesystems. An
attacker could rename a file to "." to evade detection by a forensic
analysis.

Affected is the current version 4.0.1. Older versions are probably
affected as well.

No patch is currently available. The bug is tracked at
http://sourceforge.net/tracker/?func=detail&aid=3523019&group_id=55685&atid=477889

AFAICS, the bug was originally identified by Wim Bertels
http://sourceforge.net/mailarchive/forum.php?thread_name=1305739444.2355.35.camel%40zwerfkat&forum_name=sleuthkit-users

Further discussion is at
http://sourceforge.net/mailarchive/forum.php?thread_name=20120503111900.GL18142%40hauptmenue&forum_name=sleuthkit-users


The vulnerability is already exploited, for example, by the Flame
malware (possibly unintendedly). Flame uses an encrypted SQLite-DB named
"." for extraction of confidential files and for update distribution.
An analyst may miss the file as the Sleuth Kit does not appropriately
show the file.

http://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/
http://blog.crysys.hu/2012/06/flame-usb-dot-file-confirmed/

Regards, Timo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ