Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 03 Dec 2012 18:54:44 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Timo Warns <Warns@...-Sense.DE>
Subject: Re: CVE request: TSK misrepresents "." files on FAT
 filesystems

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/01/2012 01:58 PM, Timo Warns wrote:
> The Sleuth Kit misrepresents files named "." on FAT filesystems.
> An attacker could rename a file to "." to evade detection by a
> forensic analysis.
> 
> Affected is the current version 4.0.1. Older versions are probably 
> affected as well.
> 
> No patch is currently available. The bug is tracked at 
> http://sourceforge.net/tracker/?func=detail&aid=3523019&group_id=55685&atid=477889
>
>  AFAICS, the bug was originally identified by Wim Bertels 
> http://sourceforge.net/mailarchive/forum.php?thread_name=1305739444.2355.35.camel%40zwerfkat&forum_name=sleuthkit-users
>
>  Further discussion is at 
> http://sourceforge.net/mailarchive/forum.php?thread_name=20120503111900.GL18142%40hauptmenue&forum_name=sleuthkit-users
>
> 
> 
> The vulnerability is already exploited, for example, by the Flame 
> malware (possibly unintendedly). Flame uses an encrypted SQLite-DB
> named "." for extraction of confidential files and for update
> distribution. An analyst may miss the file as the Sleuth Kit does
> not appropriately show the file.
> 
> http://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/
>
> 
http://blog.crysys.hu/2012/06/flame-usb-dot-file-confirmed/
> 
> Regards, Timo

Please use CVE-2012-5619 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQvVfkAAoJEBYNRVNeJnmTsAcP/0wh/shO2O88JMcLDbShZhNi
o78DXPDNS+kASw2PZz21kLJTnGlTi68zkCT1WlRSnHrrXTvYFdCp61gNAlveHdq9
uGFVkiE7XRMKpcVbbusEIo5bSgtYTcMCQgb+TMYKSYp4P7YAwwSdnXZQxSfGly8Y
gd5fMPD2yABPtQnq6/LeNJgFmZGs+TAG7c+z1pQKmV4l7fdCzAvz0DoakBoqz+2T
26pzX4oMxAeYsHffWKI4F/JPPkBDuVy1yfuQVlJgSGn+UKuPZFuG/I2f0czvplxF
9xKYTE/cDLCAgmOwrOMRWMk0BnOviIUh2vmaciC/Q/hQ+7zXk9uco4m5y+5vclCk
iN+aQhhV+KjcDj07AKtK2f45kC9sjYfHymlsxQtBPeN4DZnVy70OKUE0FqFkKNb3
sElbmA00BNW49U0QVSSLcOqEopCpA3U0XSCh4OMgux9dRFapBOHriWCQnT82skan
7sZDLCPxkIuRPFAaAWYCdwweX38f55wKbtdverSv4OvVjYa4n/i2p4CVxN7n4BlY
smnpxu97u/TcifjLL1AglbN0/yfnrhnLjB12O6iwZfdAXkPA/DcoNRLoRdGve9M/
to6D3ef34OvFtxVhTIUUhsx2sO1YBJZlFb88faunh5jSHEQlXuyIJAOdUNWE+y+9
SKDQy6m574LMnCXDT9sb
=1aUQ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.