bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/multiple/dos/40034.txt
Offensive Security f74a7dfb7e DB: 2016-06-30 
13 new exploits

Symantec Antivirus - Multiple Remote Memory Corruption Unpacking RAR
Symantec Antivirus - Remote Stack Buffer Overflow in dec2lha Library
Symantec Antivirus - Heap Overflow Modifying MIME Messages
Symantec Antivirus - Integer Overflow in TNEF Decoder
Symantec Antivirus - Missing Bounds Checks in dec2zip ALPkOldFormatDecompressor::UnShrink
Symantec Antivirus - PowerPoint Misaligned Stream-cache Remote Stack Buffer Overflow
Windows 7 SP1 x86 - Privilege Escalation (MS16-014)
Lenovo ThinkPad - System Management Mode Arbitrary Code Execution Exploit
Symantec Endpoint Protection Manager 12.1 - Multiple Vulnerabilities
WordPress Ultimate Membership Pro Plugin 3.3 - SQL Injection
Cuckoo Sandbox Guest 2.0.1 - XMLRPC Privileged Remote Code Execution
Ubiquiti Administration Portal - CSRF to Remote Command Execution
Concrete5 5.7.3.1 - (Application::dispatch) Local File Inclusion
2016-06-30 05:05:39 +00:00

28 lines
1.3 KiB
Text
Executable file
Raw Blame History

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=818
Symantec attempts to clean or remove components from archives or other multipart containers that they detect as malicious. The code that they use to remove components from MIME encoded messages in CMIMEParser::UpdateHeader() assumes that filenames cannot be longer than 77 characters.
This assumption is obviously incorrect, names can be any length, resulting in a very clean heap overflow.
The heap overflow occurs because Symantec does the cleaning in multiple stages, first changing the Content-Type to "text/plain", then changing the filename to "DELETED.TXT". The problem is that during the first stage of this process, they maintain the existing name but use a buffer prepared for the final name.
Something like:
char *buf = malloc(strlen(NewContentType) + strlen(LengthOfNewEncodedFilename) + 100)
// First change the content-type
strcpy(buf, "Content-Type: ");
strcpy(buf, NewContentType;
strcpy(buf, "; name=\"");
strcpy(buf, OldFileName);
...
UpdateName(buf, NewFileName);
...
This obviously won't work, because it doesn't verify that the old name will fit. I've attached an example MIME message that triggers this code in Symantec Scan Engine.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40034.zip
Reference in a new issue View git blame Copy permalink