• IDP Daily Update #1282
  posted: 10/10/08
  
• NSM Daily Update #1282
  posted: 10/10/08
  
• Deep Inspection 5.3r5 and above, 5.4, 6.0 #1282
  posted: 10/10/08
  
• Deep Inspection 5.1, 5.2, 5.3r4 and below #1274
  posted: 10/10/08
  
• Deep Inspection 5.0 #1132
  posted: 04/01/08
  
• Antivirus
  posted: 10/10/08

Text Size:        

• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

Multiple Symantec products are prone to a remote stack buffer-overflow vulnerability.

This issue presents itself in the management interface of affected products. The management interface listens on TCP port 2967, and is often enabled in enterprise settings. Although management communications typically occur over SSL-encrypted sessions, cleartext communications will also be accepted.

Specifically, when the management interface receives COM_FORWARD_LOG commands, an arithmetic operation where the string length of the argument to the command is subtracted from either 0x17A or 0x17C. The result of this operation is directly used as the size parameter of a 'strncpy()' function call. Since 'strncpy()' takes an unsigned integer value, argument string lengths longer than 0x17A or 0x17C will result in a negative value, which will be interpreted as a very large positive size argument. This allows remote attackers to overwrite adjacent memory with approximately 64k of arbitrary data.

This issue allows remote attackers to execute arbitrary machine code with SYSTEM-level privileges, facilitating the complete compromise of affected computers. Reportedly, exploiting this issue does not require user interaction.

Symantec AntiVirus Corporate Edition 10.1 and Symantec Client Security 3.1 are currently known to be vulnerable to this issue. All supported platforms are affected including Microsoft Windows and Novell NetWare.

Affected Products:

• Symantec AntiVirus Corporate Edition 10.0.0
• Symantec AntiVirus Corporate Edition 10.0.2 .2001
• Symantec AntiVirus Corporate Edition 10.0.2.2000
• Symantec AntiVirus Corporate Edition 10.0.2.2010
• Symantec AntiVirus Corporate Edition 10.0.2.2020
• Symantec AntiVirus Corporate Edition 10.1
• Symantec AntiVirus Corporate Edition 10.1.0.394
• Symantec AntiVirus Corporate Edition 10.1.0.400
• Symantec Client Security 3.0.0
• Symantec Client Security 3.0.2.2000
• Symantec Client Security 3.0.2.2001
• Symantec Client Security 3.0.2.2010
• Symantec Client Security 3.0.2.2020
• Symantec Client Security 3.1
• Symantec Client Security 3.1.0.394
• Symantec Client Security 3.1.0.400

References:

• eEye: EEYEB-20060524
• Symantec: SYM06-010 - Symantec Client Security and Symantec AntiVirus Elevation of Privile
• Symantec: Symantec AntiVirus Corporate Edition Product Page
• Immunity Partner's: Symantec AntiVirus and Security Client Remote Management Stack Overflow
• Symantec: Symantec Product Advisories
• Symantec: W32.Spybot.ACYR
• Symantec: W32.Spybot.AMTE