Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=821
A major component of the Symantec Antivirus scan engine is the "Decomposer", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITY\SYSTEM on Windows, and root on Linux and Mac. Simple fuzzing of zip archives discovered missing bounds checks in the routine ALPkOldFormatDecompressor::UnShrink, used to decode Zip archives.
The routine uses a 16bit value read from the file to index a 256 element array without any bounds checking, the attached testcase should demonstrate this reliably. I have verified this on the following products:
Norton Antivirus, Windows
Symantec Endpoint Protection, Linux and Windows
Symantec Scan Engine, Linux and Windows
(534.700): Access violation - code c0000005 (!!! second chance !!!)
eax=00003000 ebx=00003000 ecx=00003000 edx=00002000 esi=16adeb58 edi=16ad8b1b
eip=6ba47ec3 esp=16ad6af0 ebp=16adeb20 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
ccScanw!filelengthi64+0x3af63:
6ba47ec3 66399445fcbfffff cmp word ptr [ebp+eax*2-4004h],dx ss:002b:16ae0b1c=????
0:071> ub
ccScanw!filelengthi64+0x3af3f:
6ba47e9f 8bb5ec7fffff mov esi,dword ptr [ebp-8014h]
6ba47ea5 8bc7 mov eax,edi
6ba47ea7 8985e07fffff mov dword ptr [ebp-8020h],eax
6ba47ead e96d010000 jmp ccScanw!filelengthi64+0x3b0bf (6ba4801f)
6ba47eb2 0fbfc3 movsx eax,bx
6ba47eb5 ba00200000 mov edx,2000h
6ba47eba 8dbdfb9fffff lea edi,[ebp-6005h]
6ba47ec0 0fb7cb movzx ecx,bx
0:071> lmv m ccScanw
start end module name
6b930000 6bb5f000 ccScanw (export symbols) C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Loaded symbol image file: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Image path: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Image name: ccScanw.dll
Timestamp: Tue Jan 26 13:51:55 2016 (56A7EA7B)
CheckSum: 0022B3ED
ImageSize: 0022F000
File version: 13.1.2.19
Product version: 13.1.2.19
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Symantec Corporation
ProductName: Symantec Security Technologies
InternalName: ccScan
OriginalFilename: CCSCAN.DLL
ProductVersion: 13.1.2.19
FileVersion: 13.1.2.19
FileDescription: Symantec Scan Engine
LegalCopyright: Copyright (c) 2015 Symantec Corporation. All rights reserved.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40036.zip