Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Symantec AntiVirus - Missing Bounds Checks in dec2zip ALPkOldFormatDecompressor::UnShrink

🗓️ 29 Jun 2016 00:00:00Reported by Google Security ResearchType 
zdt
 zdt🔗 0day.today👁 39 Views

Symantec Antivirus decomposer UnShrink routine missing bounds checks in zip archive

Related
Code
ReporterTitlePublishedViews
Family
BDU FSTEC		The vulnerability of Symantec’s antivirus protection tools allows a hacker to cause a service failure or execute arbitrary codes.
19 Jul 201600:00
bdu_fstec
Circl		CVE-2016-3646
29 Jun 201600:00
circl
CNVD		Memory Corruption Vulnerability in Multiple Symantec and Norton Products
30 Jun 201600:00
cnvd
Check Point Advisories		Symantec ZIP Decompression Memory Access Violation (CVE-2016-3646)
5 Jul 201600:00
checkpoint_advisories
CVE		CVE-2016-3646
30 Jun 201623:00
cve
Cvelist		CVE-2016-3646
30 Jun 201623:00
cvelist
NVD		CVE-2016-3646
30 Jun 201623:59
nvd
OpenVAS		Symantec Messaging Gateway Decomposer Engine Multiple Parsing Vulnerabilities (SYM16-010)
29 Jun 201600:00
openvas
OpenVAS		Symantec Endpoint Protection Multiple Vulnerabilities (Jul 2016)
4 Jul 201600:00
openvas
OpenVAS		Symantec Norton AntiVirus Decomposer Engine Multiple Parsing Vulnerabilities
4 Jul 201600:00
openvas
Rows per page
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=821
 
A major component of the Symantec Antivirus scan engine is the "Decomposer", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITY\SYSTEM on Windows, and root on Linux and Mac. Simple fuzzing of zip archives discovered missing bounds checks in the routine ALPkOldFormatDecompressor::UnShrink, used to decode Zip archives. 
 
The routine uses a 16bit value read from the file to index a 256 element array without any bounds checking, the attached testcase should demonstrate this reliably. I have verified this on the following products:
 
    Norton Antivirus, Windows
    Symantec Endpoint Protection, Linux and Windows
    Symantec Scan Engine, Linux and Windows
 
 
(534.700): Access violation - code c0000005 (!!! second chance !!!)
eax=00003000 ebx=00003000 ecx=00003000 edx=00002000 esi=16adeb58 edi=16ad8b1b
eip=6ba47ec3 esp=16ad6af0 ebp=16adeb20 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
ccScanw!filelengthi64+0x3af63:
6ba47ec3 66399445fcbfffff cmp     word ptr [ebp+eax*2-4004h],dx ss:002b:16ae0b1c=????
0:071> ub
ccScanw!filelengthi64+0x3af3f:
6ba47e9f 8bb5ec7fffff    mov     esi,dword ptr [ebp-8014h]
6ba47ea5 8bc7            mov     eax,edi
6ba47ea7 8985e07fffff    mov     dword ptr [ebp-8020h],eax
6ba47ead e96d010000      jmp     ccScanw!filelengthi64+0x3b0bf (6ba4801f)
6ba47eb2 0fbfc3          movsx   eax,bx
6ba47eb5 ba00200000      mov     edx,2000h
6ba47eba 8dbdfb9fffff    lea     edi,[ebp-6005h]
6ba47ec0 0fb7cb          movzx   ecx,bx
0:071> lmv m ccScanw
start    end        module name
6b930000 6bb5f000   ccScanw    (export symbols)       C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
    Loaded symbol image file: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
    Image path: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
    Image name: ccScanw.dll
    Timestamp:        Tue Jan 26 13:51:55 2016 (56A7EA7B)
    CheckSum:         0022B3ED
    ImageSize:        0022F000
    File version:     13.1.2.19
    Product version:  13.1.2.19
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Symantec Corporation
    ProductName:      Symantec Security Technologies
    InternalName:     ccScan
    OriginalFilename: CCSCAN.DLL
    ProductVersion:   13.1.2.19
    FileVersion:      13.1.2.19
    FileDescription:  Symantec Scan Engine
    LegalCopyright:   Copyright (c) 2015 Symantec Corporation. All rights reserved.
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40036.zip

#  0day.today [2018-02-09]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Jun 2016 00:00Current
9.2High risk
Vulners AI Score9.2
EPSS0.25975
symantec antivirusdecomposerunshrinkbounds checkszip archivesvulnerabilityexploit0day
39