Missing Bounds Checks in Symantec Antivirus Scan Engine

vendor:

Symantec Scan Engine

by:

Project Zero

7,8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Symantec Scan Engine

Affected Version From: 22.6.0.142

Affected Version To: 22.6.0.142

Patch Exists: YES

Related CWE: N/A

CPE: a:symantec:symantec_scan_engine

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2017

Missing Bounds Checks in Symantec Antivirus Scan Engine

The routine uses a 16bit value read from the file to index a 256 element array without any bounds checking, the attached testcase should demonstrate this reliably.

Mitigation:

Update to the latest version of Symantec Antivirus Scan Engine

Source

Exploit-DB raw data:

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=821

A major component of the Symantec Antivirus scan engine is the "Decomposer", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITY\SYSTEM on Windows, and root on Linux and Mac. Simple fuzzing of zip archives discovered missing bounds checks in the routine ALPkOldFormatDecompressor::UnShrink, used to decode Zip archives. 

The routine uses a 16bit value read from the file to index a 256 element array without any bounds checking, the attached testcase should demonstrate this reliably. I have verified this on the following products:

    Norton Antivirus, Windows
    Symantec Endpoint Protection, Linux and Windows
    Symantec Scan Engine, Linux and Windows


(534.700): Access violation - code c0000005 (!!! second chance !!!)
eax=00003000 ebx=00003000 ecx=00003000 edx=00002000 esi=16adeb58 edi=16ad8b1b
eip=6ba47ec3 esp=16ad6af0 ebp=16adeb20 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
ccScanw!filelengthi64+0x3af63:
6ba47ec3 66399445fcbfffff cmp     word ptr [ebp+eax*2-4004h],dx ss:002b:16ae0b1c=????
0:071> ub
ccScanw!filelengthi64+0x3af3f:
6ba47e9f 8bb5ec7fffff    mov     esi,dword ptr [ebp-8014h]
6ba47ea5 8bc7            mov     eax,edi
6ba47ea7 8985e07fffff    mov     dword ptr [ebp-8020h],eax
6ba47ead e96d010000      jmp     ccScanw!filelengthi64+0x3b0bf (6ba4801f)
6ba47eb2 0fbfc3          movsx   eax,bx
6ba47eb5 ba00200000      mov     edx,2000h
6ba47eba 8dbdfb9fffff    lea     edi,[ebp-6005h]
6ba47ec0 0fb7cb          movzx   ecx,bx
0:071> lmv m ccScanw
start    end        module name
6b930000 6bb5f000   ccScanw    (export symbols)       C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
    Loaded symbol image file: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
    Image path: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
    Image name: ccScanw.dll
    Timestamp:        Tue Jan 26 13:51:55 2016 (56A7EA7B)
    CheckSum:         0022B3ED
    ImageSize:        0022F000
    File version:     13.1.2.19
    Product version:  13.1.2.19
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Symantec Corporation
    ProductName:      Symantec Security Technologies
    InternalName:     ccScan
    OriginalFilename: CCSCAN.DLL
    ProductVersion:   13.1.2.19
    FileVersion:      13.1.2.19
    FileDescription:  Symantec Scan Engine
    LegalCopyright:   Copyright (c) 2015 Symantec Corporation. All rights reserved.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40036.zip