###########################

# Symantec Antivirus Multiple Remote Memory Corruption Unpacking RAR Vulnerability

###########################

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=810

A major component of the Symantec Antivirus scan engine is the "Decomposer", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITYSYSTEM on Windows, and root on Linux and Mac. It is self-evident from looking at the decomposer code that Symantec have based the RAR decompression on the open-source unrar package from RAR labs (Note: this is permitted by the unrar license).

By comparing Symantec's code to the open source code, I have determined that Symantec are probably using version 4.1.4 of the unrar code, released in January 2012. The most current version is version 5.3.11.

Between the version of unrar that Symantec runs as NT AUTHORITYSYSTEM to unpack untrusted binaries received over the network and the the current version, literally hundreds of critical memory corruption bugs have been resolved.

I have verified that multiple publicly known vulnerabilities affect Symantec, and can result in remote code execution as NT AUTHORTITYSYSTEM on Windows and root on Linux and Mac.

I have verified this on the following products:

Norton Antivirus, Windows
Symantec Endpoint Protection, Linux and Windows
Symantec Scan Engine, Linux and Windows

Presumably this affects all other Symantec products using the core Symantec scan engine.

In my opinion, I'm being exceptionally generous considering this issue a new vulnerability and not public information. Frankly, it is astonishing that Symantec do not track new releases of third party code they use. I think you should take this opportunity to check all other third party code you're using to verify you haven't fallen behind.

I've attached a trivial example that modifies an arbitrary index in the PlaceA[] array via Unpack::ShortLZ().


(534.adc): Access violation - code c0000005 (!!! second chance !!!)
eax=14858d00 ebx=07da63e0 ecx=07da65ec edx=fb6e43a0 esi=07da6370 edi=daf72217
eip=6d7b4016 esp=0da8d260 ebp=0da8d27c iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
ccScanw!filelengthi64+0x470b6:
6d7b4016 8994be005d0000 mov dword ptr [esi+edi*4+5D00h],edx ds:002b:73b748cc=14858d00
0:052> lm v mccScanw
start end module name
6d690000 6d8bf000 ccScanw (export symbols) C:Program Files (x86)Norton SecurityEngine22.6.0.142ccScanw.dll
Loaded symbol image file: C:Program Files (x86)Norton SecurityEngine22.6.0.142ccScanw.dll
Image path: C:Program Files (x86)Norton SecurityEngine22.6.0.142ccScanw.dll
Image name: ccScanw.dll
Timestamp: Tue Jan 26 13:51:55 2016 (56A7EA7B)
CheckSum: 0022B3ED
ImageSize: 0022F000
File version: 13.1.2.19
Product version: 13.1.2.19
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Symantec Corporation
ProductName: Symantec Security Technologies
InternalName: ccScan
OriginalFilename: CCSCAN.DLL
ProductVersion: 13.1.2.19
FileVersion: 13.1.2.19
FileDescription: Symantec Scan Engine
LegalCopyright: Copyright (c) 2015 Symantec Corporation. All rights reserved.

These bugs are obviously exploitable for remote code execution on all Symantec customer machines as root or SYSTEM.


###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2016-07-23]

###########################