New issue
Advanced search Search tips
Starred by 5 users
Status: Fixed
Owner:
Closed: May 2016
Cc:



Sign in to add a comment
Symantec/Norton Antivirus ASPack Remote Heap/Pool memory corruption Vulnerability CVE-2016-2208
Project Member Reported by taviso@google.com, May 6 2016 Back to list
When parsing executables packed by an early version of aspack, a buffer overflow can occur in the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products. The problem occurs when section data is truncated, that is, when SizeOfRawData is greater than SizeOfImage.

This is a remote code execution vulnerability. Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it.

On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability - this is about as bad as it can possibly get.

The obvious way to exploit this flaw is either via email or a web browser. The attached testcase contains the source code to build a PoC, which should BugCheck (i.e. BSOD) a system with Norton Antivirus installed, or crash Symantec Enterprise Endpoint service.

The file testcase.txt is a prebuilt binary (note that file extension is irrelevant here). Just clicking download should be enough to trigger a kernel panic on a vulnerable system (!!!).

When this file touches disk, Symantec will allocate SizeOfImage bytes and then memcpy all available data into the buffer from the truncated section resulting in heap or pool corruption. Effectively, we can get Symantec to execute a sequence like this:

    char *buf = malloc(SizeOfImage);

    memcpy(&buf[DataSection->VirtualAddress],
           DataSection->PointerToRawData,
           SectionSizeOnDisk);

All of these values, and all the data is under attacker control, making this a very clean overflow. Because this vulnerability exists in the core scan engine, the majority of Symantec products are vulnerable, this includes:

    * Symantec Endpoint Antivirus (All platforms)
    * Norton Antivirus (All platforms)
    * Symantec Scan Engine (All platforms)
    * Symantec Email Security (All platforms)
    * ..and probably all other Symantec Antivirus products.

On Windows with Symantec Endpoint Antivirus, this vulnerability permits code execution  as NT AUTHORITY\SYSTEM in the ccSvcHost.exe process. On Norton Antivirus for Windows, this code is loaded into the kernel and results kernel pool corruption.

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 9e45c000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 82a81ff3, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


WRITE_ADDRESS:  9e45c000 Paged pool

FAULTING_IP: 
nt!memcpy+33
82a81ff3 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE:  0

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  NS.exe

CURRENT_IRQL:  2

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre

TRAP_FRAME:  9abd2094 -- (.trap 0xffffffff9abd2094)
ErrCode = 00000002
eax=b0849800 ebx=00010000 ecx=00001201 edx=00000000 esi=b0844ffc edi=9e45c000
eip=82a81ff3 esp=9abd2108 ebp=9abd2110 iopl=0         nv up ei pl nz ac po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010212
nt!memcpy+0x33:
82a81ff3 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

LAST_CONTROL_TRANSFER:  from 82b28ce7 to 82ac4308
1: kd> .trap 0xffffffff9abd2094
ErrCode = 00000002
eax=b0849800 ebx=00010000 ecx=00001201 edx=00000000 esi=b0844ffc edi=9e45c000
eip=82a81ff3 esp=9abd2108 ebp=9abd2110 iopl=0         nv up ei pl nz ac po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010212
nt!memcpy+0x33:
82a81ff3 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
1: kd> db esi
b0844ffc  54 65 73 74 69 6e 67 53-79 6d 61 6e 74 65 63 45  TestingSymantecE
b084500c  78 70 6c 6f 69 74 54 65-73 74 69 6e 67 53 79 6d  xploitTestingSym
b084501c  61 6e 74 65 63 45 78 70-6c 6f 69 74 54 65 73 74  antecExploitTest
b084502c  69 6e 67 53 79 6d 61 6e-74 65 63 45 78 70 6c 6f  ingSymantecExplo
b084503c  69 74 54 65 73 74 69 6e-67 53 79 6d 61 6e 74 65  itTestingSymante
b084504c  63 45 78 70 6c 6f 69 74-54 65 73 74 69 6e 67 53  cExploitTestingS
b084505c  79 6d 61 6e 74 65 63 45-78 70 6c 6f 69 74 54 65  ymantecExploitTe
b084506c  73 74 69 6e 67 53 79 6d-61 6e 74 65 63 45 78 70  stingSymantecExp
1: kd> lmv mNAVEX15
start    end        module name
a1a1f000 a1bad180   NAVEX15    (no symbols)           
    Loaded symbol image file: NAVEX15.SYS
    Image path: \??\C:\Program Files\Norton Security\NortonData\22.6.0.142\Definitions\VirusDefs\20160506.004\NAVEX15.SYS
    Image name: NAVEX15.SYS
    Timestamp:        Tue Oct 13 17:32:30 2015 (561DA29E)
    CheckSum:         00195B98
    ImageSize:        0018E180
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

The testcase attached produces an executable like this:

  NAME          RVA      VSZ   RAW_SZ  RAW_PTR  nREL  REL_PTR nLINE LINE_PTR     FLAGS
  .data        fff8        0 ffffffff     2000     0        0     0        0         0  ---
  .text        fff8        0     1000     1000     0        0     0        0         0  ---

Source code is included.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
testcase.txt
38.0 KB View Download
exploit.zip
5.2 KB Download
Windows 7-2016-04-27-15-40-18.png
12.8 KB View Download
Project Member Comment 1 by taviso@google.com, May 15 2016
I think Symantec's mail server guessed the password "infected" and crashed (this password is commonly used among antivirus vendors to exchange samples), because they asked if they had missed a report I sent.

They had missed the report, so I sent it again with a randomly generated password.

Project Member Comment 2 by taviso@google.com, May 15 2016
Update from Symantec:

With the exception of test case 5, as I mentioned last night which seems like you may have zipped up the wrong case by mistake, we have confirmed your findings and have resolutions as well as doing additional reviews.  We can easily update a version of one of our products, Norton Security for example,  with an updated engine by the end of the week and if you would like can provide you with an beta release of that for your review.
 
Unfortunately, not all products will be updated the same which of course has impacts on final release of updates and an associated Security Advisory.  Some are quick and fairly simple updates, live update of course, but others require a maintenance patch build, test, release which takes a bit longer.


[I had sent them the wrong testcase for  issue 816 , I sent them the correct file]

Project Member Comment 3 by taviso@google.com, May 15 2016
Cc: taviso@google.com
Issue 811 has been merged into this issue.
Project Member Comment 4 by taviso@google.com, May 15 2016
Summary: Symantec/Norton Antivirus ASPack Remote Heap/Pool memory corruption Vulnerability CVE-2016-2208 (was: Symantec/Norton Antivirus ASPack Remote Heap/Pool memory corruption Vulnerability.)
I had a conference call with an engineer from Symantec Software Security, it sounded like they had reproduced and understood all the issues I had sent them, and were working on patch schedules.

Followup e-mail from Symantec:

Concerning the AVE update for the PE Header parsing finding.  You and I  talked about getting ready to release the AVE update to address the PE Header parsing overflow you reported to us.  This is, unfortunately, the only one of the issues thus far that is live update-able.  The team plans on releasing the update on Monday, 5/16 and we will be releasing a formal product security advisory with your credits once we confirm the update is posted and available.
Once the advisory is live, I’ll pass you a link to the advisory for your use if you wish.  The CVE assigned to this particular vulnerability will CVE-2016-2208. 
 
We will then be working on the decomposer issues and coordinating closely with you on release plans for this since it will require a build and release process.
 
 
Again, many thanks for working with us on these issues

Project Member Comment 5 by taviso@google.com, May 17 2016
Labels: -Restrict-View-Commit
Status: Fixed
Patch available, making public.
> a remote ring0 memory corruption vulnerability

...with no user interaction! 

After reading this, I'm conflicted: 

When the Pwnie Awards come around, should I nominate this bug for "Pwnie for Epic Ownage" or nominate Tavis for "Pwnie for Lifetime Achievement"?

Because, just... damn.

Anti-virus software should be considered harmful.
Comment 8 Deleted
Comment 9 Deleted
Comment 10 Deleted
Comment 11 Deleted
Sign in to add a comment