Pierluigi Paganini May 17, 2016

The white hat hacker Tavis Ormandy has discovered a critical exploitable memory overflow bug in the core Symantec Antivirus Engine

The popular white hat hacker Tavis Ormandy from the Google Project Zero has discovered a critical exploitable flaw (CVE-2016-2208) in the Symantec antivirus system. The expert discovered an exploitable memory overflow vulnerability in the core Symantec Antivirus Engine which is used in most Symantec and Norton solutions.

Kernel memory corruption in Symantec/Norton antivirus, CVE-2016-2208 (more patches soon). https://t.co/Sqhm0a48Fp pic.twitter.com/F22xDIelSU

— Tavis Ormandy (@taviso) 17 maggio 2016

“When parsing executables packed by an early version of aspack, a buffer overflow can occur in the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products.” wrote Ormandy “The problem occurs when section data is truncated, that is, when SizeOfRawData is greater than SizeOfImage. This is a remote code execution vulnerability. Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it.”

The bug is remotely exploitable and affects the way the antivirus products handle executables compressed leveraging on an early version of the Aspack compression tool.

Basically, the a buffer overflow is triggered when the Symantec Antivirus Engine parses truncated section data, so when SizeOfRawData is greater than SizeOfImage.

The bug is independent of the specific OS, on Windows systems it results in kernel memory corruption, this is worrisome.

The issue also affects Linux, Mac and UNIX platforms resulting in a remote heap overflow as root in the Symantec or Norton process.

The simplest way to exploit the bug in the Symantec Antivirus Engine is to trick victims into opening malicious email or visiting a specifically crafted website.

Ormandy also shared a PoC exploit code that could be used to trigger the flaw and crash the Symantec Enterprise Endpoint service.

“The obvious way to exploit this flaw is either via email or a web browser. The attached testcase contains the source code to build a PoC, which should BugCheck (i.e. BSOD) a system with Norton Antivirus installed, or crash Symantec Enterprise Endpoint service. The file testcase.txt is a prebuilt binary (note that file extension is irrelevant here). Just clicking download should be enough to trigger a kernel panic on a vulnerable system (!!!).” continues the expert.

The post also includes an update shared by Symantec that explained that Live Update will fix the problem only in specific cases, for some products it will be required a maintenance patch build test, release which will take more time.

“With the exception of test case 5, as I mentioned last night which seems like you may have zipped up the wrong case by mistake, we have confirmed your findings and have resolutions as well as doing additional reviews. We can easily update a version of one of our products, Norton Security for example, with an updated engine by the end of the week and if you would like can provide you with an beta release of that for your review. Unfortunately, not all products will be updated the same which of course has impacts on final release of updates and an associated Security Advisory. Some are quick and fairly simple updates, live update of course, but others require a maintenance patch build, test, release which takes a bit longer.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Symantec Antivirus Engine, hacking)