Symantec buffer overflow vulnerability
Hi all;
An as-yet-unpatched vulnerability has been discovered in a file used by many different Symantec (Norton) products for scanning RAR archive compression files ( RAR is a competing file compression technique to highly successful ZIP).
The workaround suggested both by the researcher discovering the flaw and by the vendor is to configure the antivirus software to prevent scanning of RAR files and to setup a mail filter in email client or email server software to prevent the possibility of a vulnerable Symantec product from scanning a malicious RAR file.
Many people use Norton/Symantec antivirus products on their home or work computers, so I wanted to “get the word out” if you or those you know might be affected by this – especially considering the holiday season coming up which will provide hackers more time to craft attacks against the software. Feel free to forward this email to those you know that you feel might be affected by this problem.
No word yet on when a patch will be released to fix the problem, but I suggest that those that believe they are affected:
- Disable the scanning of RAR files in the antivirus software configuration.
- Create mail filter rules to delete incoming messages with RAR file attachments.
- Watch the Symantec security advisories page for details
- Download and install all new patches via the LiveUpdate utility included with Symantec products (watch for a forthcoming update).
As of this message, Symantec has not publicly acknowledged the issue on this aforementioned site, but it is no doubt being investigated and pending.
Original information from the person that discovered the problem:
Security Advisory – Symantec Antivirus Library RemØte Heap Overflows
Date: December 20, 2005Vulnerability
The Symantec Antivirus Library provides file format support for virus analysis. During decompression of RAR files Symantec is vulnerable to multiple heap overflows allowing attackers complete control of the system(s) being protected. These vulnerabilities can be exploited remotely without user interaction in default configurations through common protocols such as SMTP.
Impact
Successful exploitation of Symantec protected systems allows attackers unauthorized control of data and related privileges. It also provides leverage for further network compromise. Symantec implementations are likely vulnerable in their default configuration. In default configurations users are likely vulnerable regardless of whether they choose to open or read the email.
Affected Products
Due to the library’s modular design and core functionality; it is likely this vulnerability affects a substantial portion of Symantec’s gateway, server, & client antivirus-enabled product lines on most platforms. In fact, the scope of this vulnerability is likely similar to the one described in this link and also includes more current versions.
Further, this library is also licensed to a substantial number of venders with products/services that are likely affected. A small sample of these vendors can be found here.
Recommendation
Disable scanning of RAR compressed files until the vulnerable code is fixed.
Credit
This vulnerability was discovered and researched by Alex Wheeler.
Technical overview
The vulnerable code is responsible for decompression of RAR archive formats. Specifically, the vulnerability is the result of unchecked 16bit length fields in RAR sub-block header types. An attacker may craft a sub-block header to overwrite heap memory with user controlled file data to execute arbitrary code. Successful attack will yield system/root level privileges and is available through e-mail without user interaction.
The module affected resides in Dec2Rar.dll v3.2.14.3. It’s probable other versions are affected as well.
Original Reference: http://www.rem0te.com/public/images/symc2.pdf
If you have any questions, please feel free to ask.
Seasons Greetings and take care;
_____________________________________________________________KevFrey
. . . . . .. . . . . .
Leave a Reply
You must be logged in to post a comment.