Date: Sat, 1 Dec 2012 21:58:43 +0100 From: Timo Warns <Warns@...-Sense.DE> To: oss-security@...ts.openwall.com Subject: CVE request: TSK misrepresents "." files on FAT filesystems The Sleuth Kit misrepresents files named "." on FAT filesystems. An attacker could rename a file to "." to evade detection by a forensic analysis. Affected is the current version 4.0.1. Older versions are probably affected as well. No patch is currently available. The bug is tracked at http://sourceforge.net/tracker/?func=detail&aid=3523019&group_id=55685&atid=477889 AFAICS, the bug was originally identified by Wim Bertels http://sourceforge.net/mailarchive/forum.php?thread_name=1305739444.2355.35.camel%40zwerfkat&forum_name=sleuthkit-users Further discussion is at http://sourceforge.net/mailarchive/forum.php?thread_name=20120503111900.GL18142%40hauptmenue&forum_name=sleuthkit-users The vulnerability is already exploited, for example, by the Flame malware (possibly unintendedly). Flame uses an encrypted SQLite-DB named "." for extraction of confidential files and for update distribution. An analyst may miss the file as the Sleuth Kit does not appropriately show the file. http://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/ http://blog.crysys.hu/2012/06/flame-usb-dot-file-confirmed/ Regards, Timo
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ