118 lines
No EOL
6 KiB
Text
118 lines
No EOL
6 KiB
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=820
|
|
|
|
When parsing executables packed by an early version of aspack, a buffer overflow can occur in the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products. The problem occurs when section data is truncated, that is, when SizeOfRawData is greater than SizeOfImage.
|
|
|
|
This is a remote code execution vulnerability. Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it.
|
|
|
|
On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability - this is about as bad as it can possibly get.
|
|
|
|
The obvious way to exploit this flaw is either via email or a web browser. The attached testcase contains the source code to build a PoC, which should BugCheck (i.e. BSOD) a system with Norton Antivirus installed, or crash Symantec Enterprise Endpoint service.
|
|
|
|
The file testcase.txt is a prebuilt binary (note that file extension is irrelevant here). Just clicking download should be enough to trigger a kernel panic on a vulnerable system (!!!).
|
|
|
|
When this file touches disk, Symantec will allocate SizeOfImage bytes and then memcpy all available data into the buffer from the truncated section resulting in heap or pool corruption. Effectively, we can get Symantec to execute a sequence like this:
|
|
|
|
char *buf = malloc(SizeOfImage);
|
|
|
|
memcpy(&buf[DataSection->VirtualAddress],
|
|
DataSection->PointerToRawData,
|
|
SectionSizeOnDisk);
|
|
|
|
All of these values, and all the data is under attacker control, making this a very clean overflow. Because this vulnerability exists in the core scan engine, the majority of Symantec products are vulnerable, this includes:
|
|
|
|
* Symantec Endpoint Antivirus (All platforms)
|
|
* Norton Antivirus (All platforms)
|
|
* Symantec Scan Engine (All platforms)
|
|
* Symantec Email Security (All platforms)
|
|
* ..and probably all other Symantec Antivirus products.
|
|
|
|
On Windows with Symantec Endpoint Antivirus, this vulnerability permits code execution as NT AUTHORITY\SYSTEM in the ccSvcHost.exe process. On Norton Antivirus for Windows, this code is loaded into the kernel and results kernel pool corruption.
|
|
|
|
1: kd> !analyze -v
|
|
*******************************************************************************
|
|
* *
|
|
* Bugcheck Analysis *
|
|
* *
|
|
*******************************************************************************
|
|
|
|
PAGE_FAULT_IN_NONPAGED_AREA (50)
|
|
Invalid system memory was referenced. This cannot be protected by try-except,
|
|
it must be protected by a Probe. Typically the address is just plain bad or it
|
|
is pointing at freed memory.
|
|
Arguments:
|
|
Arg1: 9e45c000, memory referenced.
|
|
Arg2: 00000001, value 0 = read operation, 1 = write operation.
|
|
Arg3: 82a81ff3, If non-zero, the instruction address which referenced the bad memory
|
|
address.
|
|
Arg4: 00000000, (reserved)
|
|
|
|
Debugging Details:
|
|
------------------
|
|
|
|
|
|
WRITE_ADDRESS: 9e45c000 Paged pool
|
|
|
|
FAULTING_IP:
|
|
nt!memcpy+33
|
|
82a81ff3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
|
|
|
|
MM_INTERNAL_CODE: 0
|
|
|
|
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
|
|
|
|
BUGCHECK_STR: 0x50
|
|
|
|
PROCESS_NAME: NS.exe
|
|
|
|
CURRENT_IRQL: 2
|
|
|
|
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre
|
|
|
|
TRAP_FRAME: 9abd2094 -- (.trap 0xffffffff9abd2094)
|
|
ErrCode = 00000002
|
|
eax=b0849800 ebx=00010000 ecx=00001201 edx=00000000 esi=b0844ffc edi=9e45c000
|
|
eip=82a81ff3 esp=9abd2108 ebp=9abd2110 iopl=0 nv up ei pl nz ac po nc
|
|
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
|
|
nt!memcpy+0x33:
|
|
82a81ff3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
|
|
Resetting default scope
|
|
|
|
LAST_CONTROL_TRANSFER: from 82b28ce7 to 82ac4308
|
|
1: kd> .trap 0xffffffff9abd2094
|
|
ErrCode = 00000002
|
|
eax=b0849800 ebx=00010000 ecx=00001201 edx=00000000 esi=b0844ffc edi=9e45c000
|
|
eip=82a81ff3 esp=9abd2108 ebp=9abd2110 iopl=0 nv up ei pl nz ac po nc
|
|
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
|
|
nt!memcpy+0x33:
|
|
82a81ff3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
|
|
1: kd> db esi
|
|
b0844ffc 54 65 73 74 69 6e 67 53-79 6d 61 6e 74 65 63 45 TestingSymantecE
|
|
b084500c 78 70 6c 6f 69 74 54 65-73 74 69 6e 67 53 79 6d xploitTestingSym
|
|
b084501c 61 6e 74 65 63 45 78 70-6c 6f 69 74 54 65 73 74 antecExploitTest
|
|
b084502c 69 6e 67 53 79 6d 61 6e-74 65 63 45 78 70 6c 6f ingSymantecExplo
|
|
b084503c 69 74 54 65 73 74 69 6e-67 53 79 6d 61 6e 74 65 itTestingSymante
|
|
b084504c 63 45 78 70 6c 6f 69 74-54 65 73 74 69 6e 67 53 cExploitTestingS
|
|
b084505c 79 6d 61 6e 74 65 63 45-78 70 6c 6f 69 74 54 65 ymantecExploitTe
|
|
b084506c 73 74 69 6e 67 53 79 6d-61 6e 74 65 63 45 78 70 stingSymantecExp
|
|
1: kd> lmv mNAVEX15
|
|
start end module name
|
|
a1a1f000 a1bad180 NAVEX15 (no symbols)
|
|
Loaded symbol image file: NAVEX15.SYS
|
|
Image path: \??\C:\Program Files\Norton Security\NortonData\22.6.0.142\Definitions\VirusDefs\20160506.004\NAVEX15.SYS
|
|
Image name: NAVEX15.SYS
|
|
Timestamp: Tue Oct 13 17:32:30 2015 (561DA29E)
|
|
CheckSum: 00195B98
|
|
ImageSize: 0018E180
|
|
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
|
|
|
|
The testcase attached produces an executable like this:
|
|
|
|
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
|
|
.data fff8 0 ffffffff 2000 0 0 0 0 0 ---
|
|
.text fff8 0 1000 1000 0 0 0 0 0 ---
|
|
|
|
Source code is included.
|
|
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39835.zip |