Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 4 users
Status: Fixed
Owner:
Closed: Jul 2016
Cc:



Sign in to add a comment
Symantec: Symantec Antivirus multiple remote memory corruption unpacking MSPACK Archives CVE-2016-2211
Project Member Reported by taviso@google.com, May 2 2016 Back to list
A major component of the Symantec Antivirus scan engine is the "Decomposer", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITY\SYSTEM on Windows, and root on Linux and Mac. It is self-evident from looking at the decomposer code that Symantec have based the CAB decompression on the open-source libmspack package by Stuart Caie.

Similar to  issue 810 , where Symantec didn't keep their unrar package updated, the libmspack library is also out of date and vulnerable to publicly know memory corruption vulnerabilities.

I have verified that multiple publicly known vulnerabilities affect Symantec, and can result in remote code execution as NT AUTHORTITY\SYSTEM on Windows and root on Linux and Mac.

I have verified this on the following products:

    Norton Antivirus, Windows
    Symantec Endpoint Protection, Linux and Windows
    Symantec Scan Engine, Linux and Windows

Presumably this affects all other Symantec products using the core Symantec scan engine. I think you should take this opportunity to check all other third party code you're using to verify you haven't fallen behind. In my opinion, I'm being exceptionally generous considering this issue a new vulnerability and not public information.

I've attached a sample testcase that triggers CVE-2014-9732 you can use to verify this.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
Project Member Comment 1 by taviso@google.com, Jun 28 2016
Labels: -Restrict-View-Commit
Disclosure date reached, unrestricting bug.
Project Member Comment 2 by taviso@google.com, Jun 28 2016
Summary: Symantec: Symantec Antivirus multiple remote memory corruption unpacking MSPACK Archives CVE-2016-2211 (was: Symantec: Symantec Antivirus multiple remote memory corruption unpacking MSPACK Archives)
Nice work as always. Would you be able to post the password for testcase.zip? It's not "infected".
can you tell me the password, the password is not "infected"
Project Member Comment 5 by taviso@google.com, Jul 6 2016
Status: Fixed
Sorry about that, I've attached the correct testcase.
testcase.zip
566 KB Download
Sign in to add a comment