Symantec/Norton anti-virus engine remote Heap/Pool memory corruption vulnerability analysis CVE-2 0 1 6-2 2 0 8-a vulnerability warning-the black bar safety net

2016-05-23T00:00:00
ID MYHACK58:62201675094
Type myhack58
Reporter 佚名
Modified 2016-05-23T00:00:00

Description

! Recently, Symantec and Norton products using the core anti-virus engine was traced to the presence of high-risk vulnerabilities. It is in the parsing by aspack early version of the packaged executable file will occur when the buffer overflow, leading to memory corruption, Windows systems blue screen. Its CVE number is CVE-2 0 1 6-2 2 0 8, The CNNVD number of CNNVD-2 0 1 6 0 5-4 2 of 3. Vulnerability details When the program is parsed using aspack early version of the packaged executable file, will trigger a buffer overflow vulnerability. The vulnerability occurs in the part of the data is truncated, that is, the SizeOfRawData value is greater than the SizeOfImage value. This is a remote code execution vulnerability, due to Symantec using the filter driver to intercept all the system I/O, so only need to pass messages to the victims to send the file or link you can take advantage of the vulnerability. In Linux, Mac and UNIX platforms, an attacker can use this vulnerability to root access in the Symantec or Norton process to cause a remote heap overflow. On Windows platforms it will result in kernel memory corruption, and since the scanning engine is loaded into the kernel, so that the vulnerability becomes a ring0 memory corruption vulnerability. The vulnerability of the use of the way is through the mail or the browser. Articles appended to the test instance comprises creating a POC source code, you can install the Norton Antivirus system checked for errors, or the Symantec Enterprise Endpoint service to crash. testcase. txt file is a pre-built binary file, you'll need to click on download you can trigger the affected system kernel crashes it!!! When the file is downloaded to disk, Symantec will allocate SizeOfImage bytes of space, and the available data from the truncated portion of the Copy to the buffer, causing heap or buffer pool is corrupted. In fact, Symantec will perform the following sequence: char *buf = malloc(SizeOfImage); memcpy(&buf[DataSection->VirtualAddress], DataSection->PointerToRawData, SectionSizeOnDisk); All of the above values and the data is attacker controlled, it will lead to the total overflow. Since the vulnerability exists in the core of the scan engine, Symantec of most of the products are affected: * Symantec Endpoint Antivirus (all platforms) * Norton Antivirus (all platforms) * Symantec Scan Engine (all platforms) * McAfee Internet Security (all platforms) * As well as all other Symantec anti-virus products In the Windows-based Symantec terminal Virus, the vulnerability to run in the ccSvcHost. exe process with NT AUTHORITY\SYSTEM permissions to execute code. In the Windows-based Norton AntiVirus, the code will be loaded into the kernel, causing the kernel pool corruption. Using windbg for fault detection analysis Use! the analyze –v command to obtain detailed inspection information: 1: kd> ! analyze-v The output result is: PAGE_FAULT_IN_NONPAGED_AREA (5 0) //Error detection code Invalid system memory was referenced. This cannot be protected by try-except,itmust be protected by a Probe. Typicallythe address is just plain bad or it s pointing at freed memory. //Error reasons: invalid memory referenced Arguments: Arg1: 9e45c000, memory referenced. Arg2: 0 0 0 0 0 0 0 1, value 0 = read operation, 1 = write operation. Arg3: 82a81ff3, If non-zero, the instruction address whichreferenced the bad memory address. Arg4: 0 0 0 0 0 0 0 0, (reserved) //Display parameters Debugging Details(detection details): WRITE_ADDRESS: 9e45c000Paged pool //Corresponding to Arg1 FAULTING_IP: nt! memcpy+3 3 82a81ff3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] //When an error occurs the execution of the instruction MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT //The type of error, drive error BUGCHECK_STR: 0x50 PROCESS_NAME: NS.exe //The error belongs to the process CURRENT_IRQL: 2 //The corresponding Arg2 ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1 5 0 0)x86fre TRAP_FRAME: 9abd2094 --(. trap 0xffffffff9abd2094) ErrCode = 0 0 0 0 0 0 0 2 eax=b0849800 ebx=0 0 0 1 0 0 0 0 ecx=0 0 0 0 1 2 0 1 edx=0 0 0 0 0 0 0 0 esi=b0844ffcedi=9e45c000 eip=82a81ff3 esp=9abd2108 ebp=9abd2110 iopl=0 nv up ei pl nz ac po nc cs=0 0 0 8 ss=0 0 1 0 ds=0 0 2 3 es=0 0 2 3 fs=0 0 3 0 gs=0 0 0 0 efl=0 0 0 1 0 2 1 2 nt! memcpy+0x33: 82a81ff3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] Resetting default scope LAST_CONTROL_TRANSFER: from 82b28ce7 to 82ac4308 //Error when each of the contents of the register Use. trap command to view the trap frame: 1: kd> . trap 0xffffffff9abd2094 ErrCode = 0 0 0 0 0 0 0 2 eax=b0849800 ebx=0 0 0 1 0 0 0 0 ecx=0 0 0 0 1 2 0 1 edx=0 0 0 0 0 0 0 0 esi=b0844ffcedi=9e45c000 eip=82a81ff3 esp=9abd2108 ebp=9abd2110 iopl=0 nv up ei pl nz ac po nc cs=0 0 0 8 ss=0 0 1 0 ds=0 0 2 3 es=0 0 2 3 fs=0 0 3 0 gs=0 0 0 0 efl=0 0 0 1 0 2 1 2 nt! memcpy+0x33: 82a81ff3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] Use the db Command in byte format show the esi Register of the memory 1: kd> db esi b0844ffc 5 4 6 5 7 3 7 4 696e 6 7 53-79 6d 6 1 6e 7 4 6 5 6 3 4 5 TestingSymantecE b084500c 7 8 7 0 6c 6f 6 9 7 4 5 4 65-73 7 4 6 9 6e 6 7 5 3 7 9 6d xploitTestingSym b084501c 6 1 6e 7 4 6 5 6 3 4 5 7 8 7 0-6c 6f 6 9 7 4 5 4 6 5 7 3 7 4 antecExploitTest b084502c 6 9 6e 6 7 5 3 796d 6 1 6e-7 4 6 5 6 3 4 5 7 8 7 0 6c 6f ingSymantecExplo

[1] [2] next