Symantec Security Check Service ActiveX Buffer Overflow
24 Jun. 2003
Summary
Symantec has a free online service for virus and security scan called Symantec Security Check.
To access this service a user must go to http://www.symantec.com/securitycheck/ and then select what kind of scan want to run. In order to run scans ActiveX controls are installed in user's computer. The ActiveX control has been found to contain an exploitable buffer overflow.
Credit:
The information has been provided by Cesar, the epxloit code was provided by SecurITeam Experts.
One of the installed ActiveX controls is called "Symantec RuFSI Utility Class" and it has this description: "Norton Internet Security Registry and File Information", there isn't documentation on what it does but it looks like it's used to collect user's computer information in order to perform the scans. If a long string is passed in any of the parameters of CompareVersionStrings method a stack based overflow occurs when the method is executed.
To reproduce the overflow just cut-and-paste the following:
< object classid="clsid:69DEAF94-AF66-11D3-BEC0-00105AA9B6AE" id="test">
</object>
< script>
test.CompareVersionStrings("long string here","or long string here")
</script>
This ActiveX control is marked as safe, so the above sample will run without being blocked in default Internet Explorer security configuration. This vulnerability can be exploited to run arbitrary code.
Workaround:
Go to %SystemRoot%\Downloaded Program Files\ and remove "Symantec RuFSI Utility Class".
Exploit code:
SecurITeam has built an example exploit code that is able to run the cmd.exe whenever the below HTML is viewed (Note it has been hard coded to work with Windows 2000 and Internet Explorer 5.5):
<html>
<body>
< object classid="clsid:69DEAF94-AF66-11D3-BEC0-00105AA9B6AE" id="test">
</object>
Notes:
A few things you should notice if you can't get it to work:
1) Make sure the MDM.exe (Machine Debug Manager) is not running as it places the user buffer in places we didn't plan it to jump to.
2) Make sure there is only ONE instance of iexplore.exe running, as each one has a different buffer area.
