FW: [SA14179] Symantec Multiple Products UPX Parsing Engine Buffe r Overflow

From: Mitlyng, Matthew J. SGT (MN) (matthew.mitlyng_at_US.ARMY.MIL)
Date: 02/09/05

  • Next message: Rick Klinge: "Re: Microsoft Windows Malicous Software Removal Tool"
    Date:         Wed, 9 Feb 2005 07:37:53 -0600
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    TITLE:
    Symantec Multiple Products UPX Parsing Engine Buffer Overflow

    SECUNIA ADVISORY ID:
    SA14179

    VERIFY ADVISORY:
    http://secunia.com/advisories/14179/

    CRITICAL:
    Highly critical

    IMPACT:
    System access

    WHERE:
    From remote

    OPERATING SYSTEM:
    Symantec Gateway Security 1.x
    http://secunia.com/product/876/
    Symantec Gateway Security 2.x
    http://secunia.com/product/3104/

    SOFTWARE:
    Norton Internet Security 2004
    http://secunia.com/product/2441/
    Norton Internet Security 2004 Professional http://secunia.com/product/2442/
    Norton SystemWorks 2004 http://secunia.com/product/2796/ Symantec AntiVirus
    Corporate Edition 8.x http://secunia.com/product/659/ Symantec AntiVirus
    Corporate Edition 9.x http://secunia.com/product/3549/ Symantec AntiVirus
    for Caching 4.x http://secunia.com/product/4626/ Symantec AntiVirus for
    Network Attached Storage 4.x http://secunia.com/product/4625/ Symantec
    AntiVirus for SMTP Gateways 3.x http://secunia.com/product/2231/ Symantec
    AntiVirus Scan Engine 4.x http://secunia.com/product/3040/ Symantec
    AntiVirus/Filtering for Domino http://secunia.com/product/2029/ Symantec
    Brightmail AntiSpam 4.x http://secunia.com/product/4627/ Symantec Brightmail
    AntiSpam 5.x http://secunia.com/product/4628/ Symantec Client Security 1.x
    http://secunia.com/product/2344/ Symantec Client Security 2.x
    http://secunia.com/product/3478/ Symantec Mail Security for Exchange 4.x
    http://secunia.com/product/2820/ Symantec Mail Security for SMTP 4.x
    http://secunia.com/product/3558/ Symantec Norton AntiVirus 2004
    http://secunia.com/product/2800/ Symantec Norton AntiVirus for Microsoft
    Exchange 2.x http://secunia.com/product/1017/ Symantec Web Security 3.x
    http://secunia.com/product/2813/

    DESCRIPTION:
    ISS X-Force has reported a vulnerability in multiple Symantec products,
    which can be exploited by malicious people to compromise a vulnerable
    system.

    The vulnerability is caused due to a boundary error in the DEC2EXE parsing
    engine used by the antivirus scanning functionality when processing UPX
    compressed files. This can be exploited to cause a heap-based buffer
    overflow via a specially crafted UPX file.

    Successful exploitation allows execution of arbitrary code.

    The vulnerability affects the following products:
    * Norton AntiVirus for Microsoft Exchange 2.1 (prior to build
    2.18.85)
    * Symantec Mail Security for Microsoft Exchange 4.0 (prior to build
    4.0.10.465)
    * Symantec Mail Security for Microsoft Exchange 4.5 (prior to build
    4.5.3)
    * Symantec AntiVirus/Filtering for Domino NT 3.1 (prior to build
    3.1.1)
    * Symantec Mail Security for Domino 4.0 (prior to build 4.0.1)
    * Symantec AntiVirus/Filtering for Domino Ports 3.0 for AIX (prior to build
    3.0.6)
    * Symantec AntiVirus/Filtering for Domino Ports 3.0 for OS400, Linux,
    Solaris (prior to build 3.0.7)
    * Symantec AntiVirus Scan Engine 4.3 (prior to build 4.3.3)
    * Symantec AntiVirus for Network Attached Storage (prior to build
    4.3.3)
    * Symantec AntiVirus for Caching (prior to build 4.3.3)
    * Symantec AntiVirus for SMTP 3.1 (prior to build 3.1.7)
    * Symantec Mail Security for SMTP 4.0 (prior to build 4.0.2)
    * Symantec Web Security 3.0 (prior to build 3.0.1.70)
    * Symantec BrightMail AntiSpam 4.0
    * Symantec BrightMail AntiSpam 5.5
    * Symantec AntiVirus Corporate Edition 9.0 (prior to build
    9.01.1000)
    * Symantec AntiVirus Corporate Edition 8.01, 8.1.1
    * Symantec Client Security 2.0 (prior to build 9.01.1000)
    * Symantec Client Security 1.0
    * Symantec Gateway Security 2.0, 2.0.1 - 5400 Series
    * Symantec Gateway Security 1.0 - 5300 Series
    * Symantec Norton Antivirus 2004 for Windows
    * Symantec Norton Internet Security 2004 (pro) for Windows
    * Symantec Norton System Works 2004 for Windows
    * Symantec Norton Antivirus 2004 for Macintosh
    * Symantec Norton Internet Security 2004 for Macintosh
    * Symantec Norton System Works 2004 for Macintosh
    * Symantec Norton Antivirus 9.0 for Macintosh
    * Symantec Norton Internet Security for Macintosh 3.0
    * Symantec Norton System Works for Macintosh 3.0

    SOLUTION:
    Updates are available (see the vendor advisory for details).

    PROVIDED AND/OR DISCOVERED BY:
    Alex Wheeler, ISS X-Force.

    ORIGINAL ADVISORY:
    Symantec:
    http://www.sarc.com/avcenter/security/Content/2005.02.08.html

    ISS X-Force:
    http://xforce.iss.net/xforce/alerts/id/187

    ----------------------------------------------------------------------

    About:
    This Advisory was delivered by Secunia as a free service to help everybody
    keeping their systems up to date against the latest vulnerabilities.

    Subscribe:
    http://secunia.com/secunia_security_advisories/

    Definitions: (Criticality, Where etc.)
    http://secunia.com/about_secunia_advisories/

    Please Note:
    Secunia recommends that you verify all advisories you receive by clicking
    the link.
    Secunia NEVER sends attached files with advisories.
    Secunia does not advise people to install third party patches, only use
    those supplied by the vendor.

    --
    NTBugtraq Editor's Note:
    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
    --
    

  • Next message: Rick Klinge: "Re: Microsoft Windows Malicous Software Removal Tool"

    Relevant Pages