Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Symantec AntiVirus Buffer Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Symantec AntiVirus Buffer Overflow
Date: 6 Oct 2005 15:48:13 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Symantec AntiVirus Buffer Overflow
------------------------------------------------------------------------


SUMMARY

 
<http://enterprisesecurity.symantec.com/products/products.cfm?productid=173> 
Symantec  Scan Engine is a "fast, scalable, and reliable content scanning 
services and API to protect against viruses and other unwanted content."

A buffer overflow in Symantec AntiVirus Scan Engine allows attackers to 
cause the program to execute arbitrary code.

DETAILS

Vulnerable Systems:
 * Symantec AntiVirus Scan Engine version 4.0
 * Symantec AntiVirus Scan Engine version 4.3
 * Symantec AntiVirus for Microsoft ISA Server 2000 version 4.0
 * Symantec AntiVirus for Microsoft ISA Server 2000 version 4.3
 * Symantec AntiVirus for Netapp Filer version 4.0
 * Symantec AntiVirus for Messaging version 4.3
 * Symantec AntiVirus for Netapp NetCache version 4.0
 * Symantec AntiVirus for Network Attached Storage version 4.0
 * Symantec AntiVirus for Bluecoat version 4.0
 * Symantec AntiVirus for Caching version 4.3
 * Symantec AntiVirus for Microsoft SharePoint version 4.3
 * Symantec AntiVirus for Clearswirt version 4.0
 * Symantec AntiVirus for Clearswift version 4.3

Immune Systems:
 * Symantec AntiVirus Scan Engine version 4.1

The vulnerability specifically exists due to insufficient input validation 
of HTTP Headers. A remote attacker can send a specially crafted HTTP 
request to the administrative Scan Engine Web Service on  port 8004 to 
crash the service or execute arbitrary code. Due to  improper use of 
signed integer value types, a negative value can be supplied by a 
connecting client, which will interpret the value as a very large number 
and later use the value as an argument to a memory copy operation. An 
overly long copy will occur resulting in a heap overflow. Remote attackers 
can supply carefully crafted HTTP requests to trigger the heap overflow 
and execute arbitrary code.

Successful exploitation of the vulnerability can result in remote code 
execution with SYSTEM privileges. Exploitation of the vulnerability does 
not require credentials or any other element in the attack other than 
being able to send a HTTP request to TCP port 8001 on the vulnerable 
server. It is recommended to apply the vendor-supplied workaround or 
upgrade to the latest available version of the software.

Workaround:
The vendor has supplied the following workaround solution:

"Default installation instructions state that, for security reasons, 
customers should access the administrative interface using a switch or via 
a secure segment of the network. The Symantec AntiVirus Scan Engine 
Administration default port, 8004/tcp, should be locked down for trusted 
internal access only. This port can be changed, as it might conflict with 
existing applications in the environment. But whatever port is used for 
the user-interface, it should never be visible external to the network 
which greatly reduces opportunities for unauthorized access. A customer 
may choose to completely disable the Symantec AntiVirus Scan Engine's 
user-interface once it has been satisfactorily configured.

 * To disable the user interface, set the port to "0" in the 
user-interface and restart the Symantec AntiVirus Scan Engine.
 * To re-enable the user-interface, edit the Symantec AntiVirus Scan 
Engine configuration file, set the port back to 8004/tcp, or the 
applicable user-configured port, and restart the Symantec AntiVirus Scan 
Engine."

Vendor Response:
"Symantec Engineers have verified this issue and made security updates 
available for the Symantec AntiVirus Scan Engine. Symantec strongly 
recommends all customers immediately apply the latest updates for their 
supported product versions to protect against these types of threats.
Symantec is unaware of any adverse customer impact from this issue."

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2758> 
CAN-2005-2758

Disclosure Timeline:
08/31/2005 - Initial vendor notification
08/31/2005 - Initial vendor response
10/04/2005 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by  <mailto:labs-no-reply@idefense.com> 
iDEFENSE Labs.
The original article can be found at:  
<http://www.idefense.com/application/poi/display?id=314&type=vulnerabilities> 
http://www.idefense.com/application/poi/display?id=314&type=vulnerabilities
The vendor advisory can be found at:  
<http://www.symantec.com/avcenter/security/Content/2005.10.04.html> 
http://www.symantec.com/avcenter/security/Content/2005.10.04.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Symantec AntiVirus Buffer Overflow, SecuriTeam <=
Previous by Date:  [UNIX] Procom Technology NetFORCE Information Disclosure Vulnerability, SecuriTeam
Next by Date:  [UNIX] UW-IMAP Netmailbox Name Parsing Buffer Overflow, SecuriTeam
Previous by Thread:  [UNIX] Procom Technology NetFORCE Information Disclosure Vulnerability, SecuriTeam
Next by Thread:  [UNIX] UW-IMAP Netmailbox Name Parsing Buffer Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]