ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
59 lines
No EOL
3.6 KiB
Text
59 lines
No EOL
3.6 KiB
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=810
|
|
|
|
A major component of the Symantec Antivirus scan engine is the "Decomposer", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITY\SYSTEM on Windows, and root on Linux and Mac. It is self-evident from looking at the decomposer code that Symantec have based the RAR decompression on the open-source unrar package from RAR labs (Note: this is permitted by the unrar license).
|
|
|
|
By comparing Symantec's code to the open source code, I have determined that Symantec are probably using version 4.1.4 of the unrar code, released in January 2012. The most current version is version 5.3.11.
|
|
|
|
Between the version of unrar that Symantec runs as NT AUTHORITY\SYSTEM to unpack untrusted binaries received over the network and the the current version, literally hundreds of critical memory corruption bugs have been resolved.
|
|
|
|
I have verified that multiple publicly known vulnerabilities affect Symantec, and can result in remote code execution as NT AUTHORTITY\SYSTEM on Windows and root on Linux and Mac.
|
|
|
|
I have verified this on the following products:
|
|
|
|
Norton Antivirus, Windows
|
|
Symantec Endpoint Protection, Linux and Windows
|
|
Symantec Scan Engine, Linux and Windows
|
|
|
|
Presumably this affects all other Symantec products using the core Symantec scan engine.
|
|
|
|
In my opinion, I'm being exceptionally generous considering this issue a new vulnerability and not public information. Frankly, it is astonishing that Symantec do not track new releases of third party code they use. I think you should take this opportunity to check all other third party code you're using to verify you haven't fallen behind.
|
|
|
|
I've attached a trivial example that modifies an arbitrary index in the PlaceA[] array via Unpack::ShortLZ().
|
|
|
|
|
|
(534.adc): Access violation - code c0000005 (!!! second chance !!!)
|
|
eax=14858d00 ebx=07da63e0 ecx=07da65ec edx=fb6e43a0 esi=07da6370 edi=daf72217
|
|
eip=6d7b4016 esp=0da8d260 ebp=0da8d27c iopl=0 nv up ei ng nz na pe nc
|
|
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
|
|
ccScanw!filelengthi64+0x470b6:
|
|
6d7b4016 8994be005d0000 mov dword ptr [esi+edi*4+5D00h],edx ds:002b:73b748cc=14858d00
|
|
0:052> lm v mccScanw
|
|
start end module name
|
|
6d690000 6d8bf000 ccScanw (export symbols) C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
|
|
Loaded symbol image file: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
|
|
Image path: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
|
|
Image name: ccScanw.dll
|
|
Timestamp: Tue Jan 26 13:51:55 2016 (56A7EA7B)
|
|
CheckSum: 0022B3ED
|
|
ImageSize: 0022F000
|
|
File version: 13.1.2.19
|
|
Product version: 13.1.2.19
|
|
File flags: 0 (Mask 3F)
|
|
File OS: 40004 NT Win32
|
|
File type: 1.0 App
|
|
File date: 00000000.00000000
|
|
Translations: 0409.04b0
|
|
CompanyName: Symantec Corporation
|
|
ProductName: Symantec Security Technologies
|
|
InternalName: ccScan
|
|
OriginalFilename: CCSCAN.DLL
|
|
ProductVersion: 13.1.2.19
|
|
FileVersion: 13.1.2.19
|
|
FileDescription: Symantec Scan Engine
|
|
LegalCopyright: Copyright (c) 2015 Symantec Corporation. All rights reserved.
|
|
|
|
These bugs are obviously exploitable for remote code execution on all Symantec customer machines as root or SYSTEM.
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40031.zip |