|
|
|
|
| |
Credit:
The information has been provided by eEye.
|
| |
Vulnerable Systems:
* Symantec AntiVirus 10.0.x for Windows (all versions)
* Symantec AntiVirus 10.1.x for Windows (all versions)
* Symantec Client Security 3.0.x for Windows (all versions)
* Symantec Client Security 3.1.x for Windows (all versions)
Immune Systems:
* Symantec AntiVirus 10.x.x for Macintosh
* Symantec AntiVirus 10.x.x for Linux
* Symantec AntiVirus 10.x.x for Wireless
A vulnerability in the remote management interface for Symantec AntiVirus 10.x and Symantec Client Security 3.x, which could be exploited by an anonymous attacker in order to execute arbitrary code with SYSTEM privileges on an affected system.
The management interface is typically enabled in enterprise settings and listens on TCP port 2967 by default, for both server and client systems.
Although remote management traffic is typically SSL-encrypted, managed systems will accept and process clear-text requests of the vulnerable type.
The remote management protocol communicated by the affected products is a proprietary message-based protocol with two levels of encapsulation.
The outer layer comprises a message header indicating one of three message types: 10, which designates a request to Rtvscan.exe, or 20 or 30, which mediate SSL negotiation. If SSL is established for a TCP connection, subsequent traffic is encrypted although the plaintext is still in the proprietary format.
The data of type-10 messages contains its own header and body which are processed by Rtvscan.exe. This header features a command field which specifies the operation to perform and dictates the format of the body data.
The COM_FORWARD_LOG (0x24) command handler contains an improper use of strncat that allows a 0x180-byte stack buffer to be overflowed with arbitrary data. If the first string in the COM_FORWARD_LOG request body contains a backslash, then one of the following two strncat calls will be performed:
* If the string contains a comma but no double-quote:
strncat(dest, src, 0x17A - strlen(src));
* Otherwise:
strncat(dest, src, 0x17C - strlen(src));
If the length of the source string exceeds 0x17A or 0x17C characters respectively, the arithmetic will underflow and result in a very large copy size (since the copy size argument is of type size_t, which is unsigned). This causes the entire source string to be appended to the buffer, allowing the stack to be overwritten with up to 64KB of data in which only null characters are prohibited.
Rtvscan.exe was compiled with the Visual Studio /GS security option which institutes stack canary checks, but this security measure can be bypassed by causing a very large overwrite and taking control of an exception handler registration.
As a basic workaround against automated exploitation, the management interface TCP port may be changed via the "HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\AgentIPPort" registry value in order to accomplish a very slight amount of obfuscation. Remote management should continue to function even if the new port numbers are not homogeneous across an enterprise.
CVE Information:
CVE-2006-2630
Vendor Status:
Symantec has released patches for the affected products. For more information, please consult Symantec security advisory SYM06-010:
http://www.symantec.com/avcenter/security/Content/2006.05.25.html
Disclosure Timeline:
Date Reported: May 24, 2006
Release Date: June 12, 2006
|
|
|
|
|
