[sleuthkit-developers] [ sleuthkit-Bugs-3523019 ] More checks on FAT "." entries
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] [ sleuthkit-Bugs-3523019 ] More checks on FAT "." entries
|
From: SourceForge.net <no...@so...> - 2012-12-12 12:17:26
|
Bugs item #3523019, was opened at 2012-05-02 06:36 Message generated for change (Comment added) made by timowpre You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3523019&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Tools Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Brian Carrier (carrier) Assigned to: Nobody/Anonymous (nobody) Summary: More checks on FAT "." entries Initial Comment: Currently, TSK does special things with any "." entry it finds in the directory. We should limit this to only the first couple of entires in the directory. Otherwise, someone could manually change the name of a file to be "." and its content would not be accessible. ---------------------------------------------------------------------- Comment By: Timo Warns (timowpre) Date: 2012-12-12 04:17 Message: From aca201cb4a937709c055350101cdd36b01ce4b5b Mon Sep 17 00:00:00 2001 From: Timo Warns <wa...@pr...> Date: Wed, 12 Dec 2012 11:52:19 +0100 Subject: [PATCH] limit special handling of files named "." and ".." A file named "." or ".." shall only be specially handled if it is a directory and is among the first two directory entries. Otherwise, renaming a file to "." or ".." could hide the file from TSK. Fixes CVE-2012-5619. --- tsk3/fs/fatfs_dent.cpp | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/tsk3/fs/fatfs_dent.cpp b/tsk3/fs/fatfs_dent.cpp index b76b9e3..aa0a4e2 100644 --- a/tsk3/fs/fatfs_dent.cpp +++ b/tsk3/fs/fatfs_dent.cpp @@ -439,7 +439,9 @@ static TSK_RETVAL_ENUM * slot in the cluster, but it needs to refer to the original * slot */ - if (TSK_FS_ISDOT(fs_name->name)) { + if (TSK_FS_ISDOT(fs_name->name) + && (fs_name->type == TSK_FS_NAME_TYPE_DIR) + && idx < 2) { if (fs_name->name[1] == '\0') { fs_name->meta_addr = a_fs_dir->fs_file->meta->addr; -- 1.7.2.5 ---------------------------------------------------------------------- Comment By: Timo Warns (timowpre) Date: 2012-12-12 04:16 Message: The attached patch seems to fix the issue. ---------------------------------------------------------------------- Comment By: Timo Warns (timowpre) Date: 2012-11-26 06:28 Message: Here is a reproducer: ### create an empty image $ dd if=/dev/zero of=empty.img bs=1M count=50 $ mkfs.vfat -F32 empty.img ### create an image with FILE.txt $ cp empty.img file.img $ mount -o loop file.img /mnt/image/ $ echo "HELLO" > /mnt/image/FILE.TXT $ umount /mnt/image/ ### create an image with "." file (renamed from FILE.TXT) $ xxd -p file.img | sed -e 's/46494c4520202020545854/2e20202020202020202020/' | xxd -r -p > dot.img ### use TSK $ fls -V The Sleuth Kit ver 4.0.1 $ fls -a empty.img v/v 1612675: $MBR v/v 1612676: $FAT1 v/v 1612677: $FAT2 d/d 1612678: $OrphanFiles $ fls -a file.img r/r 3: FILE.TXT v/v 1612675: $MBR v/v 1612676: $FAT1 v/v 1612677: $FAT2 d/d 1612678: $OrphanFiles $ fls -a dot.img r/d 2: . v/v 1612675: $MBR v/v 1612676: $FAT1 v/v 1612677: $FAT2 d/d 1612678: $OrphanFiles ---------------------------------------------------------------------- Comment By: Brian Carrier (carrier) Date: 2012-11-26 06:22 Message: Interesting. That side effect could also be because of the de-duping code in TSK. It's strange in that report that entry 2 came up as r/d meaning that it thought it was a file at the name level, but then mapped it to the directory at the meta data level. ---------------------------------------------------------------------- Comment By: Timo Warns (timowpre) Date: 2012-11-26 01:15 Message: Note that this bug affects analyses of USB sticks that came in contact with the Flame malware. On FAT file systems, Flame creates a file with short name "HUB001.DAT" and long name "." in the root directory (see http://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/). TSK does not appropriately show such files (e.g., see http://blog.crysys.hu/2012/06/flame-usb-dot-file-confirmed/). If Flame writes its file to an empty USB stick, the file is the very first entry of the root directory. Hence, a limitation of the "special things" to the first couple of entries is not sufficient in this case. ---------------------------------------------------------------------- Comment By: Brian Carrier (carrier) Date: 2012-05-02 06:37 Message: Reported by Ilias Van Peer. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3523019&group_id=55685 |
