Symantec Antivirus Multiple Remote Memory Corruption Unpacking RAR

2016.06.30
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=810 A major component of the Symantec Antivirus scan engine is the "Decomposer", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITYSYSTEM on Windows, and root on Linux and Mac. It is self-evident from looking at the decomposer code that Symantec have based the RAR decompression on the open-source unrar package from RAR labs (Note: this is permitted by the unrar license). By comparing Symantec's code to the open source code, I have determined that Symantec are probably using version 4.1.4 of the unrar code, released in January 2012. The most current version is version 5.3.11. Between the version of unrar that Symantec runs as NT AUTHORITYSYSTEM to unpack untrusted binaries received over the network and the the current version, literally hundreds of critical memory corruption bugs have been resolved. I have verified that multiple publicly known vulnerabilities affect Symantec, and can result in remote code execution as NT AUTHORTITYSYSTEM on Windows and root on Linux and Mac. I have verified this on the following products: Norton Antivirus, Windows Symantec Endpoint Protection, Linux and Windows Symantec Scan Engine, Linux and Windows Presumably this affects all other Symantec products using the core Symantec scan engine. In my opinion, I'm being exceptionally generous considering this issue a new vulnerability and not public information. Frankly, it is astonishing that Symantec do not track new releases of third party code they use. I think you should take this opportunity to check all other third party code you're using to verify you haven't fallen behind. I've attached a trivial example that modifies an arbitrary index in the PlaceA[] array via Unpack::ShortLZ(). (534.adc): Access violation - code c0000005 (!!! second chance !!!) eax=14858d00 ebx=07da63e0 ecx=07da65ec edx=fb6e43a0 esi=07da6370 edi=daf72217 eip=6d7b4016 esp=0da8d260 ebp=0da8d27c iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286 ccScanw!filelengthi64+0x470b6: 6d7b4016 8994be005d0000 mov dword ptr [esi+edi*4+5D00h],edx ds:002b:73b748cc=14858d00 0:052> lm v mccScanw start end module name 6d690000 6d8bf000 ccScanw (export symbols) C:Program Files (x86)Norton SecurityEngine22.6.0.142ccScanw.dll Loaded symbol image file: C:Program Files (x86)Norton SecurityEngine22.6.0.142ccScanw.dll Image path: C:Program Files (x86)Norton SecurityEngine22.6.0.142ccScanw.dll Image name: ccScanw.dll Timestamp: Tue Jan 26 13:51:55 2016 (56A7EA7B) CheckSum: 0022B3ED ImageSize: 0022F000 File version: 13.1.2.19 Product version: 13.1.2.19 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Symantec Corporation ProductName: Symantec Security Technologies InternalName: ccScan OriginalFilename: CCSCAN.DLL ProductVersion: 13.1.2.19 FileVersion: 13.1.2.19 FileDescription: Symantec Scan Engine LegalCopyright: Copyright (c) 2015 Symantec Corporation. All rights reserved. These bugs are obviously exploitable for remote code execution on all Symantec customer machines as root or SYSTEM.

References:

https://bugs.chromium.org/p/project-zero/issues/detail?id=810


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top