Security

Symantec antivirus bug allows allows remote memory exploitation

The white hat hacker Tavis Ormandy has discovered a critical exploitable memory overflow bug in the core Symantec Antivirus Engine

British white hat hacker and Google Project Zero chap Tavis Ormandy is making life miserable for Symantec again: the bug-hunter has turned up an exploitable overflow(CVE-2016-2208) in “the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products”.

Described here, the problem is in how the antivirus products handle executables compressed using an early version of the Aspack compression tool.

If the engine encounters truncated section data – “when SizeOfRawData is greater than SizeOfImage” – the buffer overflow occurs. Ormandy writes:

“Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it.”

Entertainingly, it’s a cross-platform bug that affects Windows, Mac, and *nix platforms. In Mac / Linux / Unix, an attacker can cause a remote heap overflow in the Symantec process, giving the attacker root access.

The Windows bug is even better: “On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability – this is about as bad as it can possibly get”, he writes.

The bug is remotely exploitable and affects the way the antivirus products handle executables compressed leveraging on an early version of the Aspack compression tool.

Basically, the a buffer overflow is triggered when the Symantec Antivirus Engine parses truncated section data, so when SizeOfRawData is greater than SizeOfImage.

The bug is independent of the specific OS, on Windows systems it results in kernel memory corruption, this is worrisome.

The issue also affects Linux, Mac and UNIX platforms resulting in a remote heap overflow as root in the Symantec or Norton process.

The simplest way to exploit the bug in the Symantec Antivirus Engine is to trick victims into opening malicious email or visiting a specifically crafted website.

Ormandy also shared a PoC exploit code that could be used to trigger the flaw and crash the Symantec Enterprise Endpoint service.

“The obvious way to exploit this flaw is either via email or a web browser. The attached testcase contains the source code to build a PoC, which should BugCheck (i.e. BSOD) a system with Norton Antivirus installed, or crash Symantec Enterprise Endpoint service. The file testcase.txt is a prebuilt binary (note that file extension is irrelevant here). Just clicking download should be enough to trigger a kernel panic on a vulnerable system (!!!).”
continues the expert.

Ormandy tweeted that Live Update will carry some fixes, while others will require a patch.The post also includes an update shared by Symantec that explained that Live Update will fix the problem only in specific cases, for some products it will be required a maintenance patch build test, release which will take more time.

Jay Prakash Kumar

If you have come this far, it means that you liked what you are reading. Why not reach little more and connect with me directly on Facebook or Twitter. Jay Prakash is a founder of Professional Hacker, Technical Writer, Software Developer, Security Analyst and Technology Enthusiast with a keen eye on the Cyber-world and other technology-related developments.