Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

FW: [SA14179] Symantec Multiple Products UPX Parsing Engine Buffe r Over

from [Mitlyng, Matthew J. SGT (MN)] Network Security [Permanent Link]
Subject: FW: [SA14179] Symantec Multiple Products UPX Parsing Engine Buffe r Overflow
Date: Wed, 9 Feb 2005 07:37:53 -0600 
TITLE:
Symantec Multiple Products UPX Parsing Engine Buffer Overflow

SECUNIA ADVISORY ID:
SA14179

VERIFY ADVISORY:
http://secunia.com/advisories/14179/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:

From remote


OPERATING SYSTEM:
Symantec Gateway Security 1.x
http://secunia.com/product/876/
Symantec Gateway Security 2.x
http://secunia.com/product/3104/

SOFTWARE:
Norton Internet Security 2004
http://secunia.com/product/2441/
Norton Internet Security 2004 Professional http://secunia.com/product/2442/
Norton SystemWorks 2004 http://secunia.com/product/2796/ Symantec AntiVirus
Corporate Edition 8.x http://secunia.com/product/659/ Symantec AntiVirus
Corporate Edition 9.x http://secunia.com/product/3549/ Symantec AntiVirus
for Caching 4.x http://secunia.com/product/4626/ Symantec AntiVirus for
Network Attached Storage 4.x http://secunia.com/product/4625/ Symantec
AntiVirus for SMTP Gateways 3.x http://secunia.com/product/2231/ Symantec
AntiVirus Scan Engine 4.x http://secunia.com/product/3040/ Symantec
AntiVirus/Filtering for Domino http://secunia.com/product/2029/ Symantec
Brightmail AntiSpam 4.x http://secunia.com/product/4627/ Symantec Brightmail
AntiSpam 5.x http://secunia.com/product/4628/ Symantec Client Security 1.x
http://secunia.com/product/2344/ Symantec Client Security 2.x
http://secunia.com/product/3478/ Symantec Mail Security for Exchange 4.x
http://secunia.com/product/2820/ Symantec Mail Security for SMTP 4.x
http://secunia.com/product/3558/ Symantec Norton AntiVirus 2004
http://secunia.com/product/2800/ Symantec Norton AntiVirus for Microsoft
Exchange 2.x http://secunia.com/product/1017/ Symantec Web Security 3.x
http://secunia.com/product/2813/

DESCRIPTION:
ISS X-Force has reported a vulnerability in multiple Symantec products,
which can be exploited by malicious people to compromise a vulnerable
system.

The vulnerability is caused due to a boundary error in the DEC2EXE parsing
engine used by the antivirus scanning functionality when processing UPX
compressed files. This can be exploited to cause a heap-based buffer
overflow via a specially crafted UPX file.

Successful exploitation allows execution of arbitrary code.

The vulnerability affects the following products:
* Norton AntiVirus for Microsoft Exchange 2.1 (prior to build
2.18.85)
* Symantec Mail Security for Microsoft Exchange 4.0 (prior to build
4.0.10.465)
* Symantec Mail Security for Microsoft Exchange 4.5 (prior to build
4.5.3)
* Symantec AntiVirus/Filtering for Domino NT 3.1 (prior to build
3.1.1)
* Symantec Mail Security for Domino 4.0 (prior to build 4.0.1)
* Symantec AntiVirus/Filtering for Domino Ports 3.0 for AIX (prior to build
3.0.6)
* Symantec AntiVirus/Filtering for Domino Ports 3.0 for OS400, Linux,
Solaris (prior to build 3.0.7)
* Symantec AntiVirus Scan Engine 4.3 (prior to build 4.3.3)
* Symantec AntiVirus for Network Attached Storage (prior to build
4.3.3)
* Symantec AntiVirus for Caching (prior to build 4.3.3)
* Symantec AntiVirus for SMTP 3.1 (prior to build 3.1.7)
* Symantec Mail Security for SMTP 4.0 (prior to build 4.0.2)
* Symantec Web Security 3.0 (prior to build 3.0.1.70)
* Symantec BrightMail AntiSpam 4.0
* Symantec BrightMail AntiSpam 5.5
* Symantec AntiVirus Corporate Edition 9.0 (prior to build
9.01.1000)
* Symantec AntiVirus Corporate Edition 8.01, 8.1.1
* Symantec Client Security 2.0 (prior to build 9.01.1000)
* Symantec Client Security 1.0
* Symantec Gateway Security 2.0, 2.0.1 - 5400 Series
* Symantec Gateway Security 1.0 - 5300 Series
* Symantec Norton Antivirus 2004 for Windows
* Symantec Norton Internet Security 2004 (pro) for Windows
* Symantec Norton System Works 2004 for Windows
* Symantec Norton Antivirus 2004 for Macintosh
* Symantec Norton Internet Security 2004 for Macintosh
* Symantec Norton System Works 2004 for Macintosh
* Symantec Norton Antivirus 9.0 for Macintosh
* Symantec Norton Internet Security for Macintosh 3.0
* Symantec Norton System Works for Macintosh 3.0

SOLUTION:
Updates are available (see the vendor advisory for details).

PROVIDED AND/OR DISCOVERED BY:
Alex Wheeler, ISS X-Force.

ORIGINAL ADVISORY:
Symantec:
http://www.sarc.com/avcenter/security/Content/2005.02.08.html

ISS X-Force:
http://xforce.iss.net/xforce/alerts/id/187

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help everybody
keeping their systems up to date against the latest vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by clicking
the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

--
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an 
Anti-Virus product which automatically notifies the perceived sender of a 
message it believes is infected may well cause more harm than good. Someone who 
did not actually send you a virus may receive the notification and scramble 
their support staff to find an infection which never existed in the first 
place. Suggest such notifications be disabled by whomever is responsible for 
your AV, or at least that the idea is considered.
--
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • FW: [SA14179] Symantec Multiple Products UPX Parsing Engine Buffe r Overflow, Mitlyng, Matthew J. SGT (MN) <=
Previous by Date:  EEYE: Windows SMB Client Transaction Response Handling Vulnerability, Marc Maiffret
Next by Date:  Re: Microsoft Windows Malicous Software Removal Tool, Rick Klinge
Previous by Thread:  EEYE: Windows SMB Client Transaction Response Handling Vulnerability, Marc Maiffret
Next by Thread:  [VulnWatch] Patch available for high risk IBM DB2 Universal Database flaw, NGSSoftware Insight Security Research
Indexes:  [Date] [Thread] [Top] [All Lists]