Home > Symantec Antivirus > Symantec AntiVirus Library Heap Overflow

Symantec AntiVirus Library Heap Overflow


A small sample of these vendors can be found in the following link. Depending on how the filtering mechcanism and the Symantec product identify RAR archives, it may be insufficient to rely on the file extention (.rar). Be sure to read our vulnerability disclosure policy. The rem0te.com advisory credits Alex Wheeler. http://placedroid.com/symantec-antivirus/symantec-antivirus-9-0.html

Quick Search Advanced Search » View Notes By Date Published Date Public Date Updated CVSS Score Report a Vulnerability Please use the Vulnerability Reporting Form to report a vulnerability. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. The result is an arbitrary heap overflow with no character restrictions. edu> Date: 2005-02-12 19:42:47 Message-ID: 3CB17D7FCC9A8F4A8E2FE2416FCF6A7101C6A846 () iu-mssg-mbx03 ! http://www.iss.net/threats/187.html

Symantec Antivirus Vulnerability

Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. This document was written by Art Manion. John Hubbard James Riden wrote: >Apparently, a serious issue exists with many versions of Symantec >antivirus software: > >http://xforce.iss.net/xforce/alerts/id/187 > >http://www.symantec.com/avcenter/security/Content/2005.02.08.html > >According to phone support, Symantec AntiVirus Corporate Edition >customers During decompression of RAR files Symantec is vulnerable to multiple heap overflows allowing attackers complete control of the system(s) being protected.

  1. An attacker may provide a negative virtual offset to a crafted PE header, which contains integers used for bounds calculations on subsequent copy operations to buffers allocated on integers from the
  2. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).
  3. The vulnerable DEC2EXE engine contained a heap overflow that could be initiated by sending a specifically crafted UPX file that would be parsed by the vulnerable DEC2EXE engine.
  4. and/or affiliated companies in the United States and other countries.
  5. One of the modules (DEC2EXE) in Symantec Antivirus Library parses the UPX (Ultimate Packer for eXecuteables) file format.
  6. A remote, unauthenticated attacker may be able to run arbitrary code at root or SYSTEM privileges by taking advantage of these vulnerabilities.
  7. It is for the exclusive use of the addressee and distribution, dissemination, copying or use by others is strictly prohibited.

Credit This vulnerability was discovered and researched by Alex Wheeler. For Solaris and Linux: 1. Symantec takes the security and proper functionality of our products very seriously. Cve-2016-3644 Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products.

Solution Upgrade Upgrade to a fixed version as specified in Symantec AntiVirus Decomposition Buffer Overflow (SYM05-027). The vulnerable component fails to do proper bounds checks when analyzing certain container files for virus content. Updated CVE Candidate Number 2/11/2005 – Configuration modifications tested and added to disable vulnerable module in SAVCE and SCS. https://www.us-cert.gov/ncas/alerts/TA16-187A HTTP, FTP, POP3), but some may require user interaction.

While there has been no evidence of exploitation, the ease of attack, widespread nature of the products, and severity of the exploit may make this vulnerability a popular target. Sym16-010 Contact security () rem0te com _______________________________________________ Full-Disclosure - We believe in it. A Symantec Product Security team member will contact you regarding your submission. Some of these products are in widespread use throughout government and industry.


Symantec has NOT seen any active attempts against or organizations impacted by this issue. https://www.exploit-db.com/exploits/40034/ References [1] Symantec Antivirus multiple remote memory corruption unpacking RAR [2] How to Compromise the Enterprise Endpoint [3] Symantec: PowerPoint misaligned stream-cache remote stack buffer overflow [4] Symantec: Remote Stack Buffer Symantec Antivirus Vulnerability Risk Impact High Overview Symantec resolved a potential remote access compromise vulnerability reported by ISS X-Force. Cve-2016-2209 Credit: Symantec acknowledges the X-Force research team and X-Force's Alex Wheeler for identifying this issue and coordinating with Symantec to resolve and release information about the issue.

The attacker could accomplish this in a number of ways including hosting the archive on a web site, sending it as an email attachment, or providing it on a file system Check This Out Recommended Upgrades As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Disable RAR scanning It may be possible to filter or disable scanning of RAR archives. Systems Affected (Learn More) VendorStatusDate NotifiedDate UpdatedSymantec, Inc.Affected20 Dec 200524 Dec 2005If you are a vendor and your product is affected, let us know. Cve-2016-2210

When I check the dec3.cfg, I do not see an entry for Dec2EXE.dll. Details Protect your website! and 9.0.2) were no in danger. Source http://www.symantec.com/partners/index.html Recommendation Disable scanning of RAR compressed files until the vulnerable code is fixed.

The Symantec Product Security PGP key can be found at the end of this message. Sym16-011, Symantec http://xforce.iss.net/xforce/alerts/id/187 Further, this library is also licensed to a substantial number of venders with products/services that are likely affected. The default location for this file is c:\program files\brightmail\config 3.

Description Symantec AntiVirus and other security products use a library to decompress and scan inside RAR archives.

Restart BrightMail to reload the config file: /etc/init.d/mailwall restart For Windows: 1. Edit brightmail.cfg in the following way: In the section labeled "Symantec 3 decomposer", remove the following line: blsymdec3Engine: libdec2exe.so|5 3. Symantec, Symantec products, Symantec Security Response, and [email protected] are registered trademarks of Symantec Corp. Cve-2016-2208 Si usted ha recibido esta comunicación por error, le rogamos borrar el mensaje original y comunicárnoslo a esta misma dirección.

A remote attacker could exploit these vulnerabilities by causing a Symantec product to scan a specially crafted RAR archive. An attacker sending a specifically crafted UPX file could potentially compromise the targeted system. Virus definitions version 70209af (extended version 2/9/2005 rev. 32) or greater contain this heuristic and are available via Symantec LiveUpdate or Symantec's Intelligent Updater. http://placedroid.com/symantec-antivirus/symantec-antivirus-problems.html edu [Download message RAW] We are running

Since many scanning processes run with Local System privileges, the attacker could take complete control of a vulnerable system.