bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/multiple/dos/40037.txt
Offensive Security f74a7dfb7e DB: 2016-06-30 
13 new exploits

Symantec Antivirus - Multiple Remote Memory Corruption Unpacking RAR
Symantec Antivirus - Remote Stack Buffer Overflow in dec2lha Library
Symantec Antivirus - Heap Overflow Modifying MIME Messages
Symantec Antivirus - Integer Overflow in TNEF Decoder
Symantec Antivirus - Missing Bounds Checks in dec2zip ALPkOldFormatDecompressor::UnShrink
Symantec Antivirus - PowerPoint Misaligned Stream-cache Remote Stack Buffer Overflow
Windows 7 SP1 x86 - Privilege Escalation (MS16-014)
Lenovo ThinkPad - System Management Mode Arbitrary Code Execution Exploit
Symantec Endpoint Protection Manager 12.1 - Multiple Vulnerabilities
WordPress Ultimate Membership Pro Plugin 3.3 - SQL Injection
Cuckoo Sandbox Guest 2.0.1 - XMLRPC Privileged Remote Code Execution
Ubiquiti Administration Portal - CSRF to Remote Command Execution
Concrete5 5.7.3.1 - (Application::dispatch) Local File Inclusion
2016-06-30 05:05:39 +00:00

85 lines
4.3 KiB
Text
Executable file
Raw Blame History

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=823
A PowerPoint PPT file is a complicated OLE compound document comprising of a series of streams. The format is described by Microsoft in [MS-PPT].
https://msdn.microsoft.com/en-us/library/office/cc313106(v=office.12).aspx
Symantec have implemented an I/O abstraction layer for seeking within the streams of a compound document, which they use to extract embedded objects like VBA macros and so on. Unfortunately, a bug in this I/O abstraction results in a critical security vulnerability. The bug occurs when a read request can be satisfied from the cache, but from a non-zero start offset. In this case, the request size is always rounded to (CACHE_SIZE - Offset), which may not be correct.
For example, a read request that can be satisfied from the stream cache in these ways:
+-------------------------+
| CACHE |
+-------------------------+
1. <---------> Non-zero offset, but entire cache needed.
2. <------> Zero offset, but not the entire cache.
3. <----------------------> Entire cache.
4. <----> Non-zero offset and not entire cache.
All of these cases work fine except 4, where a buffer overflow occurs, because the request is rounded up to (CACHE_SIZE - Offset). It seems incredible that this bug wasn't found during testing or even on ITW documents just by chance. Nevertheless, by carefully constructing a powerpoint file with a series of records that massage the cache with a series of records, we can trigger a stack buffer overflow of attacker controlled data.
The easiest way to do this is via PPFindRecSet in libdec2ss (this is part of ccScanw.dll on Windows). Early on when processing powerpoint documents Symantec attempt to find the last edit via RT_UserEditAtom, then extract a set of records for RT_List and RT_ExternalObjectList allowing us to massage the stream cache appropriately.
Naturally, Symantec disable /GS on Windows and do not use -fstack-protector, making exploitation absolutely trivial. The attached document redirects execution to 0x41414141 reliably on Windows.
0:065> g
(1074.a14): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=000025a0 ecx=00000200 edx=000025a0 esi=0396e358 edi=00002524
eip=41414141 esp=056df558 ebp=00000000 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
41414141 ?? ???
0:065> lmv m ccScanW
start end module name
65820000 65a4f000 ccScanw (deferred)
Image path: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Image name: ccScanw.dll
Timestamp: Tue Jan 26 13:51:55 2016 (56A7EA7B)
CheckSum: 0022B3ED
ImageSize: 0022F000
File version: 13.1.2.19
Product version: 13.1.2.19
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Symantec Corporation
ProductName: Symantec Security Technologies
InternalName: ccScan
OriginalFilename: CCSCAN.DLL
ProductVersion: 13.1.2.19
FileVersion: 13.1.2.19
FileDescription: Symantec Scan Engine
LegalCopyright: Copyright (c) 2015 Symantec Corporation. All rights reserved.
The fix is simply to round up requests to MIN(RequestSize, CACHE_SIZE).
I verified this bug exists on the following products:
* Norton Antivirus (All Platforms)
* Symantec Endpoint (All Platforms)
* Symantec Scan Engine (All Platforms)
* Symantec Email Security (All Platforms)
And probably all other Symantec and Norton branded products.
NOTES:
PPGetVBAEmbedListInfo() uses PPFindRecSet(), which is definitely the easiest way to exploit this. The prototype is something like:
int PPFindRecSet(tagSS_STREAM *stream,
unsigned StartOffset,
unsigned EndOffset,
short count,
short *RequiredRecordTypes,
unsigned *RecordOffsets,
int *RecordLengths);
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40037.zip
Reference in a new issue View git blame Copy permalink