Symantec/Norton AntiVirus - ASPack Remote Heap/Pool Memory Corruption

EDB-ID:

39835




Platform:

Multiple

Date:

2016-05-17


Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=820

When parsing executables packed by an early version of aspack, a buffer overflow can occur in the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products. The problem occurs when section data is truncated, that is, when SizeOfRawData is greater than SizeOfImage.

This is a remote code execution vulnerability. Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it.

On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability - this is about as bad as it can possibly get.

The obvious way to exploit this flaw is either via email or a web browser. The attached testcase contains the source code to build a PoC, which should BugCheck (i.e. BSOD) a system with Norton Antivirus installed, or crash Symantec Enterprise Endpoint service.

The file testcase.txt is a prebuilt binary (note that file extension is irrelevant here). Just clicking download should be enough to trigger a kernel panic on a vulnerable system (!!!).

When this file touches disk, Symantec will allocate SizeOfImage bytes and then memcpy all available data into the buffer from the truncated section resulting in heap or pool corruption. Effectively, we can get Symantec to execute a sequence like this:

    char *buf = malloc(SizeOfImage);

    memcpy(&buf[DataSection->VirtualAddress],
           DataSection->PointerToRawData,
           SectionSizeOnDisk);

All of these values, and all the data is under attacker control, making this a very clean overflow. Because this vulnerability exists in the core scan engine, the majority of Symantec products are vulnerable, this includes:

    * Symantec Endpoint Antivirus (All platforms)
    * Norton Antivirus (All platforms)
    * Symantec Scan Engine (All platforms)
    * Symantec Email Security (All platforms)
    * ..and probably all other Symantec Antivirus products.

On Windows with Symantec Endpoint Antivirus, this vulnerability permits code execution  as NT AUTHORITY\SYSTEM in the ccSvcHost.exe process. On Norton Antivirus for Windows, this code is loaded into the kernel and results kernel pool corruption.

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 9e45c000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 82a81ff3, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


WRITE_ADDRESS:  9e45c000 Paged pool

FAULTING_IP: 
nt!memcpy+33
82a81ff3 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE:  0

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  NS.exe

CURRENT_IRQL:  2

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre

TRAP_FRAME:  9abd2094 -- (.trap 0xffffffff9abd2094)
ErrCode = 00000002
eax=b0849800 ebx=00010000 ecx=00001201 edx=00000000 esi=b0844ffc edi=9e45c000
eip=82a81ff3 esp=9abd2108 ebp=9abd2110 iopl=0         nv up ei pl nz ac po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010212
nt!memcpy+0x33:
82a81ff3 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

LAST_CONTROL_TRANSFER:  from 82b28ce7 to 82ac4308
1: kd> .trap 0xffffffff9abd2094
ErrCode = 00000002
eax=b0849800 ebx=00010000 ecx=00001201 edx=00000000 esi=b0844ffc edi=9e45c000
eip=82a81ff3 esp=9abd2108 ebp=9abd2110 iopl=0         nv up ei pl nz ac po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010212
nt!memcpy+0x33:
82a81ff3 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
1: kd> db esi
b0844ffc  54 65 73 74 69 6e 67 53-79 6d 61 6e 74 65 63 45  TestingSymantecE
b084500c  78 70 6c 6f 69 74 54 65-73 74 69 6e 67 53 79 6d  xploitTestingSym
b084501c  61 6e 74 65 63 45 78 70-6c 6f 69 74 54 65 73 74  antecExploitTest
b084502c  69 6e 67 53 79 6d 61 6e-74 65 63 45 78 70 6c 6f  ingSymantecExplo
b084503c  69 74 54 65 73 74 69 6e-67 53 79 6d 61 6e 74 65  itTestingSymante
b084504c  63 45 78 70 6c 6f 69 74-54 65 73 74 69 6e 67 53  cExploitTestingS
b084505c  79 6d 61 6e 74 65 63 45-78 70 6c 6f 69 74 54 65  ymantecExploitTe
b084506c  73 74 69 6e 67 53 79 6d-61 6e 74 65 63 45 78 70  stingSymantecExp
1: kd> lmv mNAVEX15
start    end        module name
a1a1f000 a1bad180   NAVEX15    (no symbols)           
    Loaded symbol image file: NAVEX15.SYS
    Image path: \??\C:\Program Files\Norton Security\NortonData\22.6.0.142\Definitions\VirusDefs\20160506.004\NAVEX15.SYS
    Image name: NAVEX15.SYS
    Timestamp:        Tue Oct 13 17:32:30 2015 (561DA29E)
    CheckSum:         00195B98
    ImageSize:        0018E180
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

The testcase attached produces an executable like this:

  NAME          RVA      VSZ   RAW_SZ  RAW_PTR  nREL  REL_PTR nLINE LINE_PTR     FLAGS
  .data        fff8        0 ffffffff     2000     0        0     0        0         0  ---
  .text        fff8        0     1000     1000     0        0     0        0         0  ---

Source code is included.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39835.zip