Vulners
Lucene search
Symantec AntiVirus - Heap Overflow Modifying MIME Messages
| Reporter | Title | Published | Views | Family All 22 |
|---|---|---|---|---|
 | The vulnerability of Symantec’s antivirus protection tools allows a hacker to trigger a service failure or execute arbitrary code. | 19 Jul 201600:00 | – | bdu_fstec |
 | CVE-2016-3644 | 29 Jun 201600:00 | – | circl |
 | Memory Corruption Vulnerability in Multiple Symantec and Norton Products (CNVD-2016-04437) | 30 Jun 201600:00 | – | cnvd |
 | CVE-2016-3644 | 30 Jun 201623:00 | – | cve |
 | CVE-2016-3644 | 30 Jun 201623:00 | – | cvelist |
 | CVE-2016-3644 | 30 Jun 201623:59 | – | nvd |
 | Symantec Messaging Gateway Decomposer Engine Multiple Parsing Vulnerabilities (SYM16-010) | 29 Jun 201600:00 | – | openvas |
| Symantec Endpoint Protection Multiple Vulnerabilities (Jul 2016) | 4 Jul 201600:00 | – | openvas |
| Symantec Norton AntiVirus Decomposer Engine Multiple Parsing Vulnerabilities | 4 Jul 201600:00 | – | openvas |
| Symantec Norton Internet Security Decomposer Engine Multiple Parsing Vulnerabilities | 4 Jul 201600:00 | – | openvas |
10
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=818
Symantec attempts to clean or remove components from archives or other multipart containers that they detect as malicious. The code that they use to remove components from MIME encoded messages in CMIMEParser::UpdateHeader() assumes that filenames cannot be longer than 77 characters.
This assumption is obviously incorrect, names can be any length, resulting in a very clean heap overflow.
The heap overflow occurs because Symantec does the cleaning in multiple stages, first changing the Content-Type to "text/plain", then changing the filename to "DELETED.TXT". The problem is that during the first stage of this process, they maintain the existing name but use a buffer prepared for the final name.
Something like:
char *buf = malloc(strlen(NewContentType) + strlen(LengthOfNewEncodedFilename) + 100)
// First change the content-type
strcpy(buf, "Content-Type: ");
strcpy(buf, NewContentType;
strcpy(buf, "; name=\"");
strcpy(buf, OldFileName);
...
UpdateName(buf, NewFileName);
...
This obviously won't work, because it doesn't verify that the old name will fit. I've attached an example MIME message that triggers this code in Symantec Scan Engine.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40034.zip
# 0day.today [2018-03-06] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Jun 2016 00:00Current
9.2High risk
Vulners AI Score9.2
EPSS0.29018