Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 03 Dec 2012 18:54:44 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Timo Warns <Warns@...-Sense.DE>
Subject: Re: CVE request: TSK misrepresents "." files on FAT
 filesystems

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/01/2012 01:58 PM, Timo Warns wrote:
> The Sleuth Kit misrepresents files named "." on FAT filesystems.
> An attacker could rename a file to "." to evade detection by a
> forensic analysis.
> 
> Affected is the current version 4.0.1. Older versions are probably 
> affected as well.
> 
> No patch is currently available. The bug is tracked at 
> http://sourceforge.net/tracker/?func=detail&aid=3523019&group_id=55685&atid=477889
>
>  AFAICS, the bug was originally identified by Wim Bertels 
> http://sourceforge.net/mailarchive/forum.php?thread_name=1305739444.2355.35.camel%40zwerfkat&forum_name=sleuthkit-users
>
>  Further discussion is at 
> http://sourceforge.net/mailarchive/forum.php?thread_name=20120503111900.GL18142%40hauptmenue&forum_name=sleuthkit-users
>
> 
> 
> The vulnerability is already exploited, for example, by the Flame 
> malware (possibly unintendedly). Flame uses an encrypted SQLite-DB
> named "." for extraction of confidential files and for update
> distribution. An analyst may miss the file as the Sleuth Kit does
> not appropriately show the file.
> 
> http://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/
>
> 
http://blog.crysys.hu/2012/06/flame-usb-dot-file-confirmed/
> 
> Regards, Timo

Please use CVE-2012-5619 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQvVfkAAoJEBYNRVNeJnmTsAcP/0wh/shO2O88JMcLDbShZhNi
o78DXPDNS+kASw2PZz21kLJTnGlTi68zkCT1WlRSnHrrXTvYFdCp61gNAlveHdq9
uGFVkiE7XRMKpcVbbusEIo5bSgtYTcMCQgb+TMYKSYp4P7YAwwSdnXZQxSfGly8Y
gd5fMPD2yABPtQnq6/LeNJgFmZGs+TAG7c+z1pQKmV4l7fdCzAvz0DoakBoqz+2T
26pzX4oMxAeYsHffWKI4F/JPPkBDuVy1yfuQVlJgSGn+UKuPZFuG/I2f0czvplxF
9xKYTE/cDLCAgmOwrOMRWMk0BnOviIUh2vmaciC/Q/hQ+7zXk9uco4m5y+5vclCk
iN+aQhhV+KjcDj07AKtK2f45kC9sjYfHymlsxQtBPeN4DZnVy70OKUE0FqFkKNb3
sElbmA00BNW49U0QVSSLcOqEopCpA3U0XSCh4OMgux9dRFapBOHriWCQnT82skan
7sZDLCPxkIuRPFAaAWYCdwweX38f55wKbtdverSv4OvVjYa4n/i2p4CVxN7n4BlY
smnpxu97u/TcifjLL1AglbN0/yfnrhnLjB12O6iwZfdAXkPA/DcoNRLoRdGve9M/
to6D3ef34OvFtxVhTIUUhsx2sO1YBJZlFb88faunh5jSHEQlXuyIJAOdUNWE+y+9
SKDQy6m574LMnCXDT9sb
=1aUQ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ