[Full-Disclosure] Symantec ActiveX control buffer overflow
2003-06-23T00:00:00
ID SECURITYVULNS:DOC:4728 Type securityvulns Reporter Securityvulns Modified 2003-06-23T00:00:00
Description
Security Advisory
Name: Symantec ActiveX control buffer overflow.
Systems Affected : Symantec Security Check service.
Severity : High
Remote exploitable : Yes
Author: Cesar Cerrudo.
Date: 06/23/03
Advisory Number: CC060304
Overview:
Symantec has a free online service for virus and
security scan called Symantec Security Check.
To access this service a user must go to
http://www.symantec.com/securitycheck/ and then select
what kind of scan want to run. In order to run scans
ActiveX controls are installed in user's computer.
Details:
One of the installed ActiveX controls is called
"Symantec RuFSI Utility Class" and it has this
description: "Norton Internet Security Registry and
File Information", there isn't documentation on what
it does but it looks like it's used to colect user's
computer information in order to perform the scans. If
a long string is passed in any of the parameters of
CompareVersionStrings method a stack based overflow
occurs when the method is executed.
To reproduce the overflow just cut-and-paste the
following:
<script>
test.CompareVersionStrings("long string here","or long
string here")
</script>
This ActiveX control is marked as safe, so the above
sample will run without being blocked in default
Internet Explorer security configuration.
This vulnerability can be exploited to run arbitrary
code.
Workaround:
Go to %SystemRoot%\Downloaded Program Files\ and
remove "Symantec RuFSI Utility Class" and if you are
extra paranoid remove all Symantec ActiveX controls.
Also don't use again Symantec free online scan service
until Symantec fix it!!!
Vendor Status :
I really sorry Symantec i forgot about the 30-day
grace period (see "Security Vulnerability Reporting
and Response Process",
http://www.oisafety.org/process.html), also i forgot
to report it :)
This is really funny Symantec try to protect users and
they intruduce dangerous ActiveX controls in users
computers. I think that maybe this control should be
inroduced in Norton virus list :). I wonder if this
advisory will be on Security Focus news or
vulnerability database.
Important note:
I recomend antivirus companies with online virus scan
service to check your ActiveX controls if you are
really interested in protect users, especially Trend
Micro fix those HouseCall ActiveX multiple
overflows!!!.
NEW SECURITY LIST!!!: For people interested in SQL
Server security, vulnerabilities, SQL injection, etc.
Join at:
sqlserversecurity-subscribe@yahoogroups.com
http://groups.yahoo.com/group/sqlserversecurity/
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
{"id": "SECURITYVULNS:DOC:4728", "bulletinFamily": "software", "title": "[Full-Disclosure] Symantec ActiveX control buffer overflow", "description": "Security Advisory\r\n\r\nName: Symantec ActiveX control buffer overflow.\r\nSystems Affected : Symantec Security Check service.\r\nSeverity : High \r\nRemote exploitable : Yes\r\nAuthor: Cesar Cerrudo.\r\nDate: 06/23/03\r\nAdvisory Number: CC060304\r\n\r\n\r\nOverview:\r\n\r\nSymantec has a free online service for virus and\r\nsecurity scan called Symantec Security Check. \r\nTo access this service a user must go to\r\nhttp://www.symantec.com/securitycheck/ and then select\r\nwhat kind of scan want to run. In order to run scans\r\nActiveX controls are installed in user's computer.\r\n\r\n\r\nDetails:\r\n\r\nOne of the installed ActiveX controls is called\r\n"Symantec RuFSI Utility Class" and it has this\r\ndescription: "Norton Internet Security Registry and\r\nFile Information", there isn't documentation on what\r\nit does but it looks like it's used to colect user's\r\ncomputer information in order to perform the scans. If\r\na long string is passed in any of the parameters of\r\nCompareVersionStrings method a stack based overflow\r\noccurs when the method is executed.\r\n\r\nTo reproduce the overflow just cut-and-paste the\r\nfollowing:\r\n\r\n<object\r\n \r\nclassid="clsid:69DEAF94-AF66-11D3-BEC0-00105AA9B6AE"\r\n id="test">\r\n</object>\r\n\r\n<script>\r\ntest.CompareVersionStrings("long string here","or long\r\nstring here")\r\n</script>\r\n\r\n\r\nThis ActiveX control is marked as safe, so the above\r\nsample will run without being blocked in default \r\nInternet Explorer security configuration.\r\nThis vulnerability can be exploited to run arbitrary\r\ncode. \r\n\r\n\r\nWorkaround:\r\n\r\nGo to %SystemRoot%\Downloaded Program Files\ and\r\nremove "Symantec RuFSI Utility Class" and if you are\r\nextra paranoid remove all Symantec ActiveX controls.\r\nAlso don't use again Symantec free online scan service\r\nuntil Symantec fix it!!!\r\n\r\n\r\nVendor Status :\r\n\r\nI really sorry Symantec i forgot about the 30-day\r\ngrace period (see "Security Vulnerability Reporting \r\nand Response Process",\r\nhttp://www.oisafety.org/process.html), also i forgot\r\nto report it :)\r\nThis is really funny Symantec try to protect users and\r\nthey intruduce dangerous ActiveX controls in users\r\ncomputers. I think that maybe this control should be\r\ninroduced in Norton virus list :). I wonder if this\r\nadvisory will be on Security Focus news or\r\nvulnerability database.\r\n\r\n\r\nImportant note:\r\n\r\nI recomend antivirus companies with online virus scan\r\nservice to check your ActiveX controls if you are\r\nreally interested in protect users, especially Trend\r\nMicro fix those HouseCall ActiveX multiple\r\noverflows!!!.\r\n\r\n\r\n \r\nNEW SECURITY LIST!!!: For people interested in SQL\r\nServer security, vulnerabilities, SQL injection, etc.\r\nJoin at:\r\nsqlserversecurity-subscribe@yahoogroups.com\r\nhttp://groups.yahoo.com/group/sqlserversecurity/\r\n\r\n\r\n\r\n\r\n__________________________________\r\nDo you Yahoo!?\r\nSBC Yahoo! DSL - Now only $29.95 per month!\r\nhttp://sbc.yahoo.com\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.netsys.com/full-disclosure-charter.html", "published": "2003-06-23T00:00:00", "modified": "2003-06-23T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:4728", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:08", "edition": 1, "viewCount": 0, "enchantments": {"score": {"value": 6.9, "vector": "NONE", "modified": "2018-08-31T11:10:08", "rev": 2}, "dependencies": {"references": [{"type": "hackerone", "idList": ["H1:809816"]}, {"type": "cve", "idList": ["CVE-2014-2595", "CVE-2017-4728", "CVE-2015-9286", "CVE-2008-7273", "CVE-2008-7272"]}, {"type": "mskb", "idList": ["KB4484180"]}, {"type": "msupdate", "idList": ["MS:380752F2-60BB-4E30-9ADF-78E1BA6DF019", "MS:9FE92863-9AAE-4C37-A854-01DA4176B5D3", "MS:1F6739BE-F536-42D9-B934-3C84B9C60023", "MS:9539CFE6-DFA5-426C-A67D-D7BEDBE8F729", "MS:777454BD-E50F-449E-8741-045A75AE73FA"]}, {"type": "attackerkb", "idList": ["AKB:D4FE00E6-D79D-49AE-8DCD-E11786FA5BC7"]}, {"type": "apple", "idList": ["APPLE:HT207142", "APPLE:HT207143"]}, {"type": "openbugbounty", "idList": ["OBB:555734", "OBB:610136"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_D8382A69472811E8BA830011D823EEBD.NASL"]}, {"type": "freebsd", "idList": ["D8382A69-4728-11E8-BA83-0011D823EEBD"]}, {"type": "seebug", "idList": ["SSV:96659"]}], "modified": "2018-08-31T11:10:08", "rev": 2}, "vulnersScore": 6.9}, "affectedSoftware": [], "immutableFields": []}
{"rst": [{"lastseen": "2021-04-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **88[.]134.27.147** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **3**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-04-20T03:00:00.\n IOC tags: **generic**.\nASN 3209: (First IP 88.134.0.0, Last IP 88.134.255.255).\nASN Name \"VODANET\" and Organisation \"International IPBackbone of Vodafone\".\nASN hosts 79706 domains.\nGEO IP information: City \"Speyer\", Country \"Germany\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:1D8A93BC-4728-35D8-B712-947BFD04D874", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: 88.134.27.147", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **114[.]225.55.212** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-04-20T03:00:00.\n IOC tags: **generic**.\nASN 4134: (First IP 114.222.116.0, Last IP 114.229.11.8).\nASN Name \"CHINANETBACKBONE\" and Organisation \"No31Jinrong Street\".\nASN hosts 1193465 domains.\nGEO IP information: City \"Wuxi\", Country \"China\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:BE2B8BBF-4728-3A59-BC99-7C91DFBF68CA", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: 114.225.55.212", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-21T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **http://123[.]183.154.27:4728/mozi.m** in [RST Threat Feed](https://rstcloud.net/profeed) with score **61**.\n First seen: 2021-04-17T03:00:00, Last seen: 2021-04-21T03:00:00.\n IOC tags: **malware**.\nIt was found that the IOC is used by: **mozi**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-04-17T00:00:00", "id": "RST:3FBA79B6-CA3C-31B9-8D69-BCF4D132BBB5", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: http://123.183.154.27:4728/mozi.m", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-21T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **49[.]234.178.175** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **3**.\n First seen: 2020-04-20T03:00:00, Last seen: 2021-04-21T03:00:00.\n IOC tags: **shellprobe, generic**.\nASN 45090: (First IP 49.232.0.0, Last IP 49.235.255.255).\nASN Name \"CNNICTENCENTNETAP\" and Organisation \"Shenzhen Tencent Computer Systems Company Limited\".\nASN hosts 494297 domains.\nGEO IP information: City \"\", Country \"China\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-04-20T00:00:00", "id": "RST:0F298D59-4728-3CB3-97F9-31B20A7CD246", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: 49.234.178.175", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-21T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **66[.]79.179.239** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2020-01-02T03:00:00, Last seen: 2021-04-21T03:00:00.\n IOC tags: **malware**.\nASN 23338: (First IP 66.79.167.0, Last IP 66.79.191.255).\nASN Name \"ASNDCS01\" and Organisation \"DCS Pacific Star LLC\".\nASN hosts 10259 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-01-02T00:00:00", "id": "RST:3F5170D8-4728-3245-BCDA-452A1B359DFF", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: 66.79.179.239", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-21T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **epoduhizo[.]tk** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-04-21T03:00:00.\n IOC tags: **spam**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:DFA9EEEC-4728-3A22-9234-DDCF3A6FB6AC", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: epoduhizo.tk", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-21T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **134[.]228.215.154** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **39**.\n First seen: 2021-04-14T03:00:00, Last seen: 2021-04-21T03:00:00.\n IOC tags: **generic**.\nASN 13490: (First IP 134.228.192.0, Last IP 134.228.255.255).\nASN Name \"BUCKEYECABLEVISION\" and Organisation \"Buckeye Cablevision Inc\".\nASN hosts 1060 domains.\nGEO IP information: City \"Toledo\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-04-14T00:00:00", "id": "RST:C6C9081F-4728-39AB-BEDF-EF16A689C566", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: 134.228.215.154", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **194[.]226.61.18** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **8**.\n First seen: 2021-03-21T03:00:00, Last seen: 2021-04-20T03:00:00.\n IOC tags: **generic**.\nASN 201285: (First IP 194.226.61.0, Last IP 194.226.61.255).\nASN Name \"KIRZHACHTELECOMAS\" and Organisation \"\".\nASN hosts 10 domains.\nGEO IP information: City \"Kirzhach\", Country \"Russia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-21T00:00:00", "id": "RST:F139138E-4728-3EFF-A771-0EE8DCA4F1F8", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: 194.226.61.18", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **209[.]58.157.122** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-09-06T03:00:00, Last seen: 2021-04-20T03:00:00.\n IOC tags: **generic**.\nASN 394380: (First IP 209.58.144.0, Last IP 209.58.159.255).\nASN Name \"LEASEWEBUSADAL10\" and Organisation \"Leaseweb USA Inc\".\nThis IP is a part of \"**leaseweb**\" address pools.\nASN hosts 4681 domains.\nGEO IP information: City \"Dallas\", Country \"United States\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-09-06T00:00:00", "id": "RST:6A853781-4728-354A-8806-0522F11BEE9F", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: 209.58.157.122", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-21T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **solution-paypalid-4728[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-02-15T03:00:00, Last seen: 2021-04-21T03:00:00.\n IOC tags: **spam**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-15T00:00:00", "id": "RST:A2633E64-48CB-34BB-9727-2C8CD32AC50D", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: solution-paypalid-4728.com", "type": "rst", "cvss": {}}], "msupdate": [{"lastseen": "2021-04-13T19:38:12", "bulletinFamily": "microsoft", "cvelist": [], "description": "A security vulnerability exists in Microsoft SharePoint Server 2019 Language Pack that could allow arbitrary code to run when a maliciously modified file is opened. This update resolves that vulnerability.", "edition": 1, "modified": "2021-04-13T17:00:00", "id": "MS:204E4834-61E8-4E22-8EB2-0BE69165DE38", "href": "https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=204e4834-61e8-4e22-8eb2-0be69165de38", "published": "2021-04-13T17:00:00", "title": "Security Update for Microsoft SharePoint Server 2019 Language Pack (KB4504715) farm-deployment", "type": "msupdate", "cvss": {"score": 0.0, "vector": "NONE"}}]}
