SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Symantec Security Check Vendors:   Symantec
Symantec Security Check ActiveX Control Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007029
SecurityTracker URL:  http://securitytracker.com/id/1007029
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 23 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  

Description:   A buffer overflow vulnerability was reported in Symantec Security Check. A remote user can execute arbitrary code with the privileges of the target user.

Cesar Cerrudo reported that a remote user can pass a long string as a parameter to the "Symantec RuFSI Utility Class" ActiveX control's "CompareVersionStrings" method to trigger a stack overflow. A remote user can create specially crafted HTML that, when loaded by the target user, will execute arbitrary code with the privileges of the target user.

According to the report, the vulnerable ActiveX control is marked as "safe", so the default Microsoft Internet Explorer configuration will not block execution of the control.

It is reported the Symantec Security Check requires the vulnerable ActiveX control. Users that have previously run Symantec Security Check are reportedly affected.

A demonstration exploit is provided:

<object
classid="clsid:69DEAF94-AF66-11D3-BEC0-00105AA9B6AE"
id="test">
</object>

<script>
test.CompareVersionStrings("long string here","or long string here")
</script>

Impact:   A remote user can cause arbitrary code to be executed with the privileges of the target user, if the target user has previously run Symantec Security Check.
Solution:   No solution was available at the time of this entry.

The author indicates that, as a workaround, you can check the "%SystemRoot%\Downloaded Program Files\" directory and remove the "Symantec RuFSI Utility Class" ActiveX control, and possibly other Symantec ActiveX controls.

Vendor URL:  www.symantec.com/securitycheck/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 24 2003 (Vendor Issues Fix) Re: Symantec Security Check ActiveX Control Buffer Overflow Lets Remote Users Execute Arbitrary Code
Symantec has issued a fix.



 Source Message Contents

Subject:  [Full-Disclosure] Symantec ActiveX control buffer overflow


Security Advisory

Name:  Symantec ActiveX control buffer overflow.
Systems Affected : Symantec Security Check service.
Severity :  High 
Remote exploitable : Yes
Author:    Cesar Cerrudo.
Date:    06/23/03
Advisory Number:    CC060304


Overview:

Symantec has a free online service for virus and
security scan called Symantec Security Check. 
To access this service a user must go to
http://www.symantec.com/securitycheck/ and then select
what kind of scan want to run. In order to run scans
ActiveX controls are installed in user's computer.


Details:

One of the installed ActiveX controls is called
"Symantec RuFSI Utility Class" and it has this
description: "Norton Internet Security Registry and
File Information", there isn't documentation on what
it does but it looks like it's used to colect user's
computer information in order to perform the scans. If
a long string is passed in any of the parameters of
CompareVersionStrings method a stack based overflow
occurs when the method is executed.

To reproduce the overflow just cut-and-paste the
following:

<object
  
classid="clsid:69DEAF94-AF66-11D3-BEC0-00105AA9B6AE"
   id="test">
</object>

<script>
test.CompareVersionStrings("long string here","or long
string here")
</script>


This ActiveX control is marked as safe, so the above
sample will run without being blocked in default 
Internet Explorer security configuration.
This vulnerability can be exploited to run arbitrary
code. 


Workaround:

Go to %SystemRoot%\Downloaded Program Files\ and
remove "Symantec RuFSI Utility Class" and if you are
extra paranoid remove all Symantec ActiveX controls.
Also don't use again Symantec free online scan service
until Symantec fix it!!!


Vendor Status :

I really sorry Symantec i forgot about the 30-day
grace period (see  "Security Vulnerability Reporting 
and Response Process",
http://www.oisafety.org/process.html), also i forgot
to report it :)
This is really funny Symantec try to protect users and
they intruduce dangerous ActiveX controls in users
computers. I think that maybe this control should be
inroduced in Norton virus list :). I wonder if this
advisory will be on Security Focus news or
vulnerability database.


Important note:

I recomend antivirus companies with online virus scan
service to check your ActiveX controls if you are
really interested in protect users, especially Trend
Micro fix those HouseCall ActiveX multiple
overflows!!!.


 
NEW SECURITY LIST!!!: For people interested in SQL
Server security, vulnerabilities, SQL injection, etc.
Join at:
sqlserversecurity-subscribe@yahoogroups.com
http://groups.yahoo.com/group/sqlserversecurity/




__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC