Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 818 Symantec: Heap overflow modifying MIME messages CVE-2016-3644
Starred by 3 users Project Member Reported by taviso@google.com, May 4 2016 Back to list
Status: Fixed
Owner:
Closed: Sep 20
Cc:



Sign in to add a comment
Symantec attempts to clean or remove components from archives or other multipart containers that they detect as malicious. The code that they use to remove components from MIME encoded messages in CMIMEParser::UpdateHeader() assumes that filenames cannot be longer than 77 characters.

This assumption is obviously incorrect, names can be any length, resulting in a very clean heap overflow.

The heap overflow occurs because Symantec does the cleaning in multiple stages, first changing the Content-Type to "text/plain", then changing the filename to "DELETED.TXT". The problem is that during the first stage of this process, they maintain the existing name but use a buffer prepared for the final name.

Something like:

char *buf = malloc(strlen(NewContentType) + strlen(LengthOfNewEncodedFilename) + 100)

// First change the content-type
strcpy(buf, "Content-Type: ");
strcpy(buf, NewContentType;
strcpy(buf, "; name=\"");
strcpy(buf, OldFileName);

...
UpdateName(buf, NewFileName);
...

This obviously won't work, because it doesn't verify that the old name will fit. I've attached an example MIME message that triggers this code in Symantec Scan Engine.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
testcase.zip
483 bytes Download
Project Member Comment 1 by taviso@google.com, Jun 28 2016
Labels: -Restrict-View-Commit
Disclosure date reached, unrestricting bug.
Project Member Comment 2 by taviso@google.com, Jun 28 2016
Summary: Symantec: Heap overflow modifying MIME messages CVE-2016-3644 (was: Symantec: Heap overflow modifying MIME messages)
Project Member Comment 3 by taviso@google.com, Sep 20
Status: Fixed
Comment 4 Deleted
Sign in to add a comment