|
Message-ID: <50BD57E4.8090800@redhat.com> Date: Mon, 03 Dec 2012 18:54:44 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Timo Warns <Warns@...-Sense.DE> Subject: Re: CVE request: TSK misrepresents "." files on FAT filesystems -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/01/2012 01:58 PM, Timo Warns wrote: > The Sleuth Kit misrepresents files named "." on FAT filesystems. > An attacker could rename a file to "." to evade detection by a > forensic analysis. > > Affected is the current version 4.0.1. Older versions are probably > affected as well. > > No patch is currently available. The bug is tracked at > http://sourceforge.net/tracker/?func=detail&aid=3523019&group_id=55685&atid=477889 > > AFAICS, the bug was originally identified by Wim Bertels > http://sourceforge.net/mailarchive/forum.php?thread_name=1305739444.2355.35.camel%40zwerfkat&forum_name=sleuthkit-users > > Further discussion is at > http://sourceforge.net/mailarchive/forum.php?thread_name=20120503111900.GL18142%40hauptmenue&forum_name=sleuthkit-users > > > > The vulnerability is already exploited, for example, by the Flame > malware (possibly unintendedly). Flame uses an encrypted SQLite-DB > named "." for extraction of confidential files and for update > distribution. An analyst may miss the file as the Sleuth Kit does > not appropriately show the file. > > http://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/ > > http://blog.crysys.hu/2012/06/flame-usb-dot-file-confirmed/ > > Regards, Timo Please use CVE-2012-5619 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQvVfkAAoJEBYNRVNeJnmTsAcP/0wh/shO2O88JMcLDbShZhNi o78DXPDNS+kASw2PZz21kLJTnGlTi68zkCT1WlRSnHrrXTvYFdCp61gNAlveHdq9 uGFVkiE7XRMKpcVbbusEIo5bSgtYTcMCQgb+TMYKSYp4P7YAwwSdnXZQxSfGly8Y gd5fMPD2yABPtQnq6/LeNJgFmZGs+TAG7c+z1pQKmV4l7fdCzAvz0DoakBoqz+2T 26pzX4oMxAeYsHffWKI4F/JPPkBDuVy1yfuQVlJgSGn+UKuPZFuG/I2f0czvplxF 9xKYTE/cDLCAgmOwrOMRWMk0BnOviIUh2vmaciC/Q/hQ+7zXk9uco4m5y+5vclCk iN+aQhhV+KjcDj07AKtK2f45kC9sjYfHymlsxQtBPeN4DZnVy70OKUE0FqFkKNb3 sElbmA00BNW49U0QVSSLcOqEopCpA3U0XSCh4OMgux9dRFapBOHriWCQnT82skan 7sZDLCPxkIuRPFAaAWYCdwweX38f55wKbtdverSv4OvVjYa4n/i2p4CVxN7n4BlY smnpxu97u/TcifjLL1AglbN0/yfnrhnLjB12O6iwZfdAXkPA/DcoNRLoRdGve9M/ to6D3ef34OvFtxVhTIUUhsx2sO1YBJZlFb88faunh5jSHEQlXuyIJAOdUNWE+y+9 SKDQy6m574LMnCXDT9sb =1aUQ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.