Symantec antivirus bug allows allows remote memory exploitation
The white hat hacker Tavis Ormandy has discovered a critical exploitable memory overflow bug in the core Symantec Antivirus Engine
British white hat hacker and Google Project Zero chap Tavis Ormandy is making life miserable for Symantec again: the bug-hunter has turned up an exploitable overflow(CVE-2016-2208) in “the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products”.
Described here, the problem is in how the antivirus products handle executables compressed using an early version of the Aspack compression tool.
If the engine encounters truncated section data – “when SizeOfRawData is greater than SizeOfImage” – the buffer overflow occurs. Ormandy writes:
“Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it.”
Entertainingly, it’s a cross-platform bug that affects Windows, Mac, and *nix platforms. In Mac / Linux / Unix, an attacker can cause a remote heap overflow in the Symantec process, giving the attacker root access.
The Windows bug is even better: “On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability – this is about as bad as it can possibly get”, he writes.
Critical Symantec fix being released later today via LiveUpdate. The other critical RCE vulns cant be fixed via LU, will require a patch.
— Tavis Ormandy (@taviso) May 16, 2016
Just happened to have an up to date Symantec box lying around and got to play with @taviso 's bug. #facepalm pic.twitter.com/Cf2u8NqtCI
— Rob Fuller (@mubix) May 17, 2016
The bug is remotely exploitable and affects the way the antivirus products handle executables compressed leveraging on an early version of the Aspack compression tool.
Basically, the a buffer overflow is triggered when the Symantec Antivirus Engine parses truncated section data, so when SizeOfRawData is greater than SizeOfImage.
The bug is independent of the specific OS, on Windows systems it results in kernel memory corruption, this is worrisome.
The issue also affects Linux, Mac and UNIX platforms resulting in a remote heap overflow as root in the Symantec or Norton process.
The simplest way to exploit the bug in the Symantec Antivirus Engine is to trick victims into opening malicious email or visiting a specifically crafted website.
Ormandy also shared a PoC exploit code that could be used to trigger the flaw and crash the Symantec Enterprise Endpoint service.
“The obvious way to exploit this flaw is either via email or a web browser. The attached testcase contains the source code to build a PoC, which should BugCheck (i.e. BSOD) a system with Norton Antivirus installed, or crash Symantec Enterprise Endpoint service. The file testcase.txt is a prebuilt binary (note that file extension is irrelevant here). Just clicking download should be enough to trigger a kernel panic on a vulnerable system (!!!).” continues the expert.
Ormandy tweeted that Live Update will carry some fixes, while others will require a patch.The post also includes an update shared by Symantec that explained that Live Update will fix the problem only in specific cases, for some products it will be required a maintenance patch build test, release which will take more time.