Symantec/Norton AntiVirus – ASPack Remote Heap/Pool Memory Corruption

• Exploit Database
• 26 阅读

• 作者： Google Security Research
  日期： 2016-05-17
• 类别：

  • dos
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/39835/

• Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=820
  
  When parsing executables packed by an early version of aspack, a buffer overflow can occur in the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products. The problem occurs when section data is truncated, that is, when SizeOfRawData is greater than SizeOfImage.
  
  This is a remote code execution vulnerability. Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it.
  
  On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability - this is about as bad as it can possibly get.
  
  The obvious way to exploit this flaw is either via email or a web browser. The attached testcase contains the source code to build a PoC, which should BugCheck (i.e. BSOD) a system with Norton Antivirus installed, or crash Symantec Enterprise Endpoint service.
  
  The file testcase.txt is a prebuilt binary (note that file extension is irrelevant here). Just clicking download should be enough to trigger a kernel panic on a vulnerable system (!!!).
  
  When this file touches disk, Symantec will allocate SizeOfImage bytes and then memcpy all available data into the buffer from the truncated section resulting in heap or pool corruption. Effectively, we can get Symantec to execute a sequence like this:
  
  char *buf = malloc(SizeOfImage);
  
  memcpy(&buf[DataSection->VirtualAddress],
   DataSection->PointerToRawData,
   SectionSizeOnDisk);
  
  All of these values, and all the data is under attacker control, making this a very clean overflow. Because this vulnerability exists in the core scan engine, the majority of Symantec products are vulnerable, this includes:
  
  * Symantec Endpoint Antivirus (All platforms)
  * Norton Antivirus (All platforms)
  * Symantec Scan Engine (All platforms)
  * Symantec Email Security (All platforms)
  * ..and probably all other Symantec Antivirus products.
  
  On Windows with Symantec Endpoint Antivirus, this vulnerability permits code executionas NT AUTHORITY\SYSTEM in the ccSvcHost.exe process. On Norton Antivirus for Windows, this code is loaded into the kernel and results kernel pool corruption.
  
  1: kd> !analyze -v
  *******************************************************************************
  * *
  *Bugcheck Analysis*
  * *
  *******************************************************************************
  
  PAGE_FAULT_IN_NONPAGED_AREA (50)
  Invalid system memory was referenced.This cannot be protected by try-except,
  it must be protected by a Probe.Typically the address is just plain bad or it
  is pointing at freed memory.
  Arguments:
  Arg1: 9e45c000, memory referenced.
  Arg2: 00000001, value 0 = read operation, 1 = write operation.
  Arg3: 82a81ff3, If non-zero, the instruction address which referenced the bad memory
  	address.
  Arg4: 00000000, (reserved)
  
  Debugging Details:
  ------------------
  
  
  WRITE_ADDRESS:9e45c000 Paged pool
  
  FAULTING_IP: 
  nt!memcpy+33
  82a81ff3 f3a5rep movs dword ptr es:[edi],dword ptr [esi]
  
  MM_INTERNAL_CODE:0
  
  DEFAULT_BUCKET_ID:WIN7_DRIVER_FAULT
  
  BUGCHECK_STR:0x50
  
  PROCESS_NAME:NS.exe
  
  CURRENT_IRQL:2
  
  ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre
  
  TRAP_FRAME:9abd2094 -- (.trap 0xffffffff9abd2094)
  ErrCode = 00000002
  eax=b0849800 ebx=00010000 ecx=00001201 edx=00000000 esi=b0844ffc edi=9e45c000
  eip=82a81ff3 esp=9abd2108 ebp=9abd2110 iopl=0 nv up ei pl nz ac po nc
  cs=0008ss=0010ds=0023es=0023fs=0030gs=0000 efl=00010212
  nt!memcpy+0x33:
  82a81ff3 f3a5rep movs dword ptr es:[edi],dword ptr [esi]
  Resetting default scope
  
  LAST_CONTROL_TRANSFER:from 82b28ce7 to 82ac4308
  1: kd> .trap 0xffffffff9abd2094
  ErrCode = 00000002
  eax=b0849800 ebx=00010000 ecx=00001201 edx=00000000 esi=b0844ffc edi=9e45c000
  eip=82a81ff3 esp=9abd2108 ebp=9abd2110 iopl=0 nv up ei pl nz ac po nc
  cs=0008ss=0010ds=0023es=0023fs=0030gs=0000 efl=00010212
  nt!memcpy+0x33:
  82a81ff3 f3a5rep movs dword ptr es:[edi],dword ptr [esi]
  1: kd> db esi
  b0844ffc54 65 73 74 69 6e 67 53-79 6d 61 6e 74 65 63 45TestingSymantecE
  b084500c78 70 6c 6f 69 74 54 65-73 74 69 6e 67 53 79 6dxploitTestingSym
  b084501c61 6e 74 65 63 45 78 70-6c 6f 69 74 54 65 73 74antecExploitTest
  b084502c69 6e 67 53 79 6d 61 6e-74 65 63 45 78 70 6c 6fingSymantecExplo
  b084503c69 74 54 65 73 74 69 6e-67 53 79 6d 61 6e 74 65itTestingSymante
  b084504c63 45 78 70 6c 6f 69 74-54 65 73 74 69 6e 67 53cExploitTestingS
  b084505c79 6d 61 6e 74 65 63 45-78 70 6c 6f 69 74 54 65ymantecExploitTe
  b084506c73 74 69 6e 67 53 79 6d-61 6e 74 65 63 45 78 70stingSymantecExp
  1: kd> lmv mNAVEX15
  startendmodule name
  a1a1f000 a1bad180 NAVEX15(no symbols) 
  Loaded symbol image file: NAVEX15.SYS
  Image path: \??\C:\Program Files\Norton Security\NortonData\22.6.0.142\Definitions\VirusDefs\20160506.004\NAVEX15.SYS
  Image name: NAVEX15.SYS
  Timestamp:Tue Oct 13 17:32:30 2015 (561DA29E)
  CheckSum: 00195B98
  ImageSize:0018E180
  Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
  
  The testcase attached produces an executable like this:
  
  NAMERVAVSZ RAW_SZRAW_PTRnRELREL_PTR nLINE LINE_PTR FLAGS
  .datafff80 ffffffff 2000 00 00 0---
  .textfff80 1000 1000 00 00 0---
  
  Source code is included.
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39835.zip