Name: Symantec ActiveX control buffer overflow. Systems Affected : Symantec Security Check service. Severity : High Remote exploitable : Yes Author: Cesar Cerrudo. Date: 06/23/03 Advisory Number: CC060304
Symantec has a free online service for virus and security scan called Symantec Security Check. To access this service a user must go to http://www.symantec.com/securitycheck/ and then select what kind of scan want to run. In order to run scans ActiveX controls are installed in user's computer.
One of the installed ActiveX controls is called "Symantec RuFSI Utility Class" and it has this description: "Norton Internet Security Registry and File Information", there isn't documentation on what it does but it looks like it's used to colect user's computer information in order to perform the scans. If a long string is passed in any of the parameters of CompareVersionStrings method a stack based overflow occurs when the method is executed.
To reproduce the overflow just cut-and-paste the following:
classid="clsid:69DEAF94-AF66-11D3-BEC0-00105AA9B6AE" id="test"> </object>
<script> test.CompareVersionStrings("long string here","or long string here") </script>
This ActiveX control is marked as safe, so the above sample will run without being blocked in default Internet Explorer security configuration. This vulnerability can be exploited to run arbitrary code.
Go to %SystemRoot%\Downloaded Program Files\ and remove "Symantec RuFSI Utility Class" and if you are extra paranoid remove all Symantec ActiveX controls. Also don't use again Symantec free online scan service until Symantec fix it!!!
Vendor Status :
I really sorry Symantec i forgot about the 30-day grace period (see "Security Vulnerability Reporting and Response Process", http://www.oisafety.org/process.html), also i forgot to report it :) This is really funny Symantec try to protect users and they intruduce dangerous ActiveX controls in users computers. I think that maybe this control should be inroduced in Norton virus list :). I wonder if this advisory will be on Security Focus news or vulnerability database.
I recomend antivirus companies with online virus scan service to check your ActiveX controls if you are really interested in protect users, especially Trend Micro fix those HouseCall ActiveX multiple overflows!!!.
NEW SECURITY LIST!!!: For people interested in SQL Server security, vulnerabilities, SQL injection, etc. Join at: email@example.com http://groups.yahoo.com/group/sqlserversecurity/
Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html