ID

VAR-200605-0399

CVE

CVE-2006-2630

TITLE

Symantec products vulnerable to buffer overflow

DESCRIPTION

Stack-based buffer overflow in Symantec Antivirus 10.1 and Client Security 3.1 allows remote attackers to execute arbitrary code via unknown attack vectors. Symantec products are vulnerable to a stack-based buffer overflow. Symantec AntiVirus Corporate Edition 10.1 and Symantec Client Security 3.1 are currently known to be vulnerable to this issue. All supported platforms are affected including Microsoft Windows and Novell Netware. Symantec AntiVirus is a very popular antivirus solution. The remote management protocol used by the affected products for communication is a proprietary message-based protocol with two levels of encapsulation. The outer layer consists of message headers, which may be message type 10, which means requesting Rtvscan.exe, or type 20 or 30, which means forwarding SSL negotiation. If SSL is created for a TCP connection, subsequent communication is encrypted, although there is still plaintext in the private format. The data of the type 10 message contains its own header and message body, both of which are processed by Rtvscan.exe. There is a command field in this header, which specifies the operation to be performed and the format of the message body data. COM_FORWARD_LOG (0x24) The command handler does not use strncat correctly, allowing to overwrite the 0x180 byte stack buffer with arbitrary data. If the first string in the COM_FORWARD_LOG request contains a backslash, one of two strncat calls is performed: * If the string contains commas but no double quotes: strncat(dest, src, 0x17A - strlen(src )); * Otherwise: strncat(dest, src, 0x17C - strlen(src)); If the length of the source string exceeds 0x17A or 0x17C characters respectively, the arithmetic will underflow, resulting in a large memory copy size. This might allow appending this source string to the buffer, overwriting the stack with 64KB of data (null characters excluded). Rtvscan.exe is compiled with the Visual Studio /GS security option and includes stack canary checks. But an attacker can bypass this security measure by overriding and controlling the exception handler registration. SOLUTION: Apply patches (see patch matrix in vendor advisory). PROVIDED AND/OR DISCOVERED BY: eEye Digital Security ORIGINAL ADVISORY: Symantec: http://securityresponse.symantec.com/avcenter/security/Content/2006.05.25.html eEye Digital Security: http://www.eeye.com/html/research/upcoming/20060524.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

buffer overflow

EXPLOIT AVAILABILITY

EXTERNAL IDS

REFERENCES

CREDITS

eEye info@eEye.com Derek Soeder dsoeder@eeye.com

SOURCES

LAST UPDATE DATE

2024-08-14T14:00:20.487000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE