header-logo
Suggest Exploit
vendor:
Scan Engine
by:
Project Zero
7,8
CVSS
HIGH
Heap Overflow
119
CWE
Product Name: Scan Engine
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2017

Heap Overflow in Symantec Scan Engine

Symantec attempts to clean or remove components from archives or other multipart containers that they detect as malicious. The code that they use to remove components from MIME encoded messages in CMIMEParser::UpdateHeader() assumes that filenames cannot be longer than 77 characters. This assumption is obviously incorrect, names can be any length, resulting in a very clean heap overflow. The heap overflow occurs because Symantec does the cleaning in multiple stages, first changing the Content-Type to 'text/plain', then changing the filename to 'DELETED.TXT'. The problem is that during the first stage of this process, they maintain the existing name but use a buffer prepared for the final name.

Mitigation:

Ensure that the code is updated to verify that the old name will fit.
Source

Exploit-DB raw data:

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=818

Symantec attempts to clean or remove components from archives or other multipart containers that they detect as malicious. The code that they use to remove components from MIME encoded messages in CMIMEParser::UpdateHeader() assumes that filenames cannot be longer than 77 characters.

This assumption is obviously incorrect, names can be any length, resulting in a very clean heap overflow.

The heap overflow occurs because Symantec does the cleaning in multiple stages, first changing the Content-Type to "text/plain", then changing the filename to "DELETED.TXT". The problem is that during the first stage of this process, they maintain the existing name but use a buffer prepared for the final name.

Something like:

char *buf = malloc(strlen(NewContentType) + strlen(LengthOfNewEncodedFilename) + 100)

// First change the content-type
strcpy(buf, "Content-Type: ");
strcpy(buf, NewContentType;
strcpy(buf, "; name=\"");
strcpy(buf, OldFileName);

...
UpdateName(buf, NewFileName);
...

This obviously won't work, because it doesn't verify that the old name will fit. I've attached an example MIME message that triggers this code in Symantec Scan Engine.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40034.zip

Navigation

Suggest Exploit

Services By CQR