Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 3 users
Status: Fixed
Owner:
Closed: Sep 2016
Cc:



Sign in to add a comment
Symantec: missing bounds checks in dec2zip ALPkOldFormatDecompressor::UnShrink CVE-2016 -3646
Project Member Reported by taviso@google.com, May 6 2016 Back to list
A major component of the Symantec Antivirus scan engine is the "Decomposer", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITY\SYSTEM on Windows, and root on Linux and Mac. Simple fuzzing of zip archives discovered missing bounds checks in the routine ALPkOldFormatDecompressor::UnShrink, used to decode Zip archives. 

The routine uses a 16bit value read from the file to index a 256 element array without any bounds checking, the attached testcase should demonstrate this reliably. I have verified this on the following products:

    Norton Antivirus, Windows
    Symantec Endpoint Protection, Linux and Windows
    Symantec Scan Engine, Linux and Windows


(534.700): Access violation - code c0000005 (!!! second chance !!!)
eax=00003000 ebx=00003000 ecx=00003000 edx=00002000 esi=16adeb58 edi=16ad8b1b
eip=6ba47ec3 esp=16ad6af0 ebp=16adeb20 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
ccScanw!filelengthi64+0x3af63:
6ba47ec3 66399445fcbfffff cmp     word ptr [ebp+eax*2-4004h],dx ss:002b:16ae0b1c=????
0:071> ub
ccScanw!filelengthi64+0x3af3f:
6ba47e9f 8bb5ec7fffff    mov     esi,dword ptr [ebp-8014h]
6ba47ea5 8bc7            mov     eax,edi
6ba47ea7 8985e07fffff    mov     dword ptr [ebp-8020h],eax
6ba47ead e96d010000      jmp     ccScanw!filelengthi64+0x3b0bf (6ba4801f)
6ba47eb2 0fbfc3          movsx   eax,bx
6ba47eb5 ba00200000      mov     edx,2000h
6ba47eba 8dbdfb9fffff    lea     edi,[ebp-6005h]
6ba47ec0 0fb7cb          movzx   ecx,bx
0:071> lmv m ccScanw
start    end        module name
6b930000 6bb5f000   ccScanw    (export symbols)       C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
    Loaded symbol image file: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
    Image path: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
    Image name: ccScanw.dll
    Timestamp:        Tue Jan 26 13:51:55 2016 (56A7EA7B)
    CheckSum:         0022B3ED
    ImageSize:        0022F000
    File version:     13.1.2.19
    Product version:  13.1.2.19
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Symantec Corporation
    ProductName:      Symantec Security Technologies
    InternalName:     ccScan
    OriginalFilename: CCSCAN.DLL
    ProductVersion:   13.1.2.19
    FileVersion:      13.1.2.19
    FileDescription:  Symantec Scan Engine
    LegalCopyright:   Copyright (c) 2015 Symantec Corporation. All rights reserved.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
testcase.zip
448 KB Download
Project Member Comment 1 by taviso@google.com, Jun 28 2016
Labels: -Restrict-View-Commit
Disclosure date reached, unrestricting bug.
Project Member Comment 2 by taviso@google.com, Jun 28 2016
Summary: Symantec: missing bounds checks in dec2zip ALPkOldFormatDecompressor::UnShrink CVE-2016 -3646 (was: Symantec: missing bounds checks in dec2zip ALPkOldFormatDecompressor::UnShrink)
Project Member Comment 3 by taviso@google.com, Sep 20 2016
Status: Fixed
Comment 4 Deleted
Sign in to add a comment