[NT] Symantec Remote Management Stack Buffer Overflow
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 14 Jun 2006 12:33:32 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Symantec Remote Management Stack Buffer Overflow
------------------------------------------------------------------------
SUMMARY
Improper handling of user input allows attackers to execute arbitrary code
in Symantec Remote Management.
DETAILS
Vulnerable Systems:
* Symantec AntiVirus 10.0.x for Windows (all versions)
* Symantec AntiVirus 10.1.x for Windows (all versions)
* Symantec Client Security 3.0.x for Windows (all versions)
* Symantec Client Security 3.1.x for Windows (all versions)
Immune Systems:
* Symantec AntiVirus 10.x.x for Macintosh
* Symantec AntiVirus 10.x.x for Linux
* Symantec AntiVirus 10.x.x for Wireless
A vulnerability in the remote management interface for Symantec AntiVirus
10.x and Symantec Client Security 3.x, which could be exploited by an
anonymous attacker in order to execute arbitrary code with SYSTEM
privileges on an affected system.
The management interface is typically enabled in enterprise settings and
listens on TCP port 2967 by default, for both server and client systems.
Although remote management traffic is typically SSL-encrypted, managed
systems will accept and process clear-text requests of the vulnerable
type.
The remote management protocol communicated by the affected products is a
proprietary message-based protocol with two levels of encapsulation.
The outer layer comprises a message header indicating one of three message
types: 10, which designates a request to Rtvscan.exe, or 20 or 30, which
mediate SSL negotiation. If SSL is established for a TCP connection,
subsequent traffic is encrypted although the plaintext is still in the
proprietary format.
The data of type-10 messages contains its own header and body which are
processed by Rtvscan.exe. This header features a command field which
specifies the operation to perform and dictates the format of the body
data.
The COM_FORWARD_LOG (0x24) command handler contains an improper use of
strncat that allows a 0x180-byte stack buffer to be overflowed with
arbitrary data. If the first string in the COM_FORWARD_LOG request body
contains a backslash, then one of the following two strncat calls will be
performed:
* If the string contains a comma but no double-quote:
strncat(dest, src, 0x17A - strlen(src));
* Otherwise:
strncat(dest, src, 0x17C - strlen(src));
If the length of the source string exceeds 0x17A or 0x17C characters
respectively, the arithmetic will underflow and result in a very large
copy size (since the copy size argument is of type size_t, which is
unsigned). This causes the entire source string to be appended to the
buffer, allowing the stack to be overwritten with up to 64KB of data in
which only null characters are prohibited.
Rtvscan.exe was compiled with the Visual Studio /GS security option which
institutes stack canary checks, but this security measure can be bypassed
by causing a very large overwrite and taking control of an exception
handler registration.
As a basic workaround against automated exploitation, the management
interface TCP port may be changed via the
"HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\AgentIPPort" registry value in order to accomplish a very slight amount of obfuscation. Remote management should continue to function even if the new port numbers are not homogeneous across an enterprise.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2630>
CVE-2006-2630
Vendor Status:
Symantec has released patches for the affected products. For more
information, please consult Symantec security advisory SYM06-010:
<http://www.symantec.com/avcenter/security/Content/2006.05.25.html>
http://www.symantec.com/avcenter/security/Content/2006.05.25.html
Disclosure Timeline:
Date Reported: May 24, 2006
Release Date: June 12, 2006
ADDITIONAL INFORMATION
The information has been provided by <mailto:Advisories@xxxxxxxx> eEye.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (MS06-026)
- Next by Date: [NT] RPC Mutual Authentication Spoofing (MS06-031)
- Previous by thread: [NT] Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (MS06-026)
- Next by thread: [NT] RPC Mutual Authentication Spoofing (MS06-031)
- Index(es):
Relevant Pages
|
