From labs-no-reply@idefense.com Tue Oct 4 18:08:26 2005 From: iDEFENSE Labs To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk Date: Tue, 4 Oct 2005 18:03:24 -0400 Subject: [Full-disclosure] iDEFENSE Security Advisory 10.04.05: Symantec AntiVirus Scan Engine Web Service Buffer Overflow Vulnerability Symantec AntiVirus Scan Engine Web Service Buffer Overflow Vulnerability iDEFENSE Security Advisory 10.04.05 www.idefense.com/application/poi/display?id=314&type=vulnerabilities October 4, 2005 I. BACKGROUND Symantec Scan Engine is a TCP/IP server and programming interface that enables third parties to incorporate support for Symantec content scanning technologies into their proprietary applications. More information is available from the vendor website: http://enterprisesecurity.symantec.com/products/products.cfm?productid=1 73 II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability in Symantec AntiVirus Scan Engine can allow remote attackers to execute arbitrary code. The vulnerability specifically exists due to insufficient input validation of HTTP Headers. A remote attacker can send a specially crafted HTTP request to the administrative Scan Engine Web Wervice on port 8004 to crash the service or execute arbitrary code. Due to improper use of signed integer value types, a negative value can be supplied by a connecting client, which will interpret the value as a very large number and later use the value as an argument to a memory copy operation. An overly long copy will occur resulting in a heap overflow. Remote attackers can supply carefully crafted HTTP requests to trigger the heap overflow and execute arbitrary code. III. ANALYSIS Successful exploitation of the vulnerability can result in remote code execution with SYSTEM privileges. Exploitation of the vulnerability does not require credentials or any other element in the attack other than being able to send a HTTP request to TCP port 8001 on the vulnerable server. It is recommended to apply the vendor-supplied workaround or upgrade to the latest available version of the software. IV. DETECTION iDEFENSE Labs has confirmed the existence of this vulnerability in Symantec AntiVirus Scan Engine 4.0. The vendor has confirmed that the vulnerability also effects products utilizing Symantec AntiVirus Scan Engine 4.3, however Scan Engine 4.1 is not affected. V. WORKAROUND The vendor has supplied the following workaround solution: "Default installation instructions state that, for security reasons, customers should access the administrative interface using a switch or via a secure segment of the network. The Symantec AntiVirus Scan Engine Administration default port, 8004/tcp, should be locked down for trusted internal access only. This port can be changed, as it might conflict with existing applications in the environment. But whatever port is used for the user-interface, it should never be visible external to the network which greatly reduces opportunities for unauthorized access. A customer may choose to completely disable the Symantec AntiVirus Scan Engine's user-interface once it has been satisfactorily configured. * To disable the user interface, set the port to "0" in the user- interface and restart the Symantec AntiVirus Scan Engine. * To re-enable the user-interface, edit the Symantec AntiVirus Scan Engine configuration file, set the port back to 8004/tcp, or the applicable user-configured port, and restart the Symantec AntiVirus Scan Engine." VI. VENDOR RESPONSE "Symantec Engineers have verified this issue and made security updates available for the Symantec AntiVirus Scan Engine. Symantec strongly recommends all customers immediately apply the latest updates for their supported product versions to protect against these types of threats. Symantec is unaware of any adverse customer impact from this issue." A vendor advisory for this issue is available at: http://www.symantec.com/avcenter/security/Content/2005.10.04.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-2758 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/31/2005 Initial vendor notification 08/31/2005 Initial vendor response 10/04/2005 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. infamous41md[at]hotpop.com is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/