> -----Original Message-----
> From: eEye Advisories [mailto:Advisories@xxxxxxxx]
> Sent: Tuesday, June 13, 2006 2:25 AM
> To: full-disclosure@xxxxxxxxxxxxxxxxx;
> ntbugtraq@xxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx;
> vulnwatch@xxxxxxxxxxxxx
> Subject: [VulnWatch] [EEYEB-20060524] Symantec Remote
> Management Stack Buffer Overflow
> Importance: High
>
> Symantec Remote Management Stack Buffer Overflow
>
> Release Date:
> June 12, 2006
>
> Date Reported:
> May 24, 2006
>
> Severity:
> High (Remote Code Execution)
>
> Systems Affected:
> Symantec AntiVirus 10.0.x for Windows (all versions)
> Symantec AntiVirus 10.1.x for Windows (all versions)
> Symantec Client Security 3.0.x for Windows (all versions)
> Symantec Client Security 3.1.x for Windows (all versions)
>
> Systems Not Affected:
> Symantec AntiVirus 10.x.x for Macintosh
> Symantec AntiVirus 10.x.x for Linux
> Symantec AntiVirus 10.x.x for Wireless
>
> Overview:
> eEye Digital Security has discovered a vulnerability in the remote
> management interface for Symantec AntiVirus 10.x and Symantec Client
> Security 3.x, which could be exploited by an anonymous
> attacker in order
> to execute arbitrary code with SYSTEM privileges on an
> affected system.
> The management interface is typically enabled in enterprise
> settings and
> listens on TCP port 2967 by default, for both server and
> client systems.
>
> Although remote management traffic is typically SSL-encrypted, managed
> systems will accept and process clear-text requests of the vulnerable
> type.
>
> Technical Details:
> The remote management protocol communicated by the affected
> products is
> a proprietary message-based protocol with two levels of encapsulation.
> The outer layer comprises a message header indicating one of three
> message types: 10, which designates a request to Rtvscan.exe, or 20 or
> 30, which mediate SSL negotiation. If SSL is established for a TCP
> connection, subsequent traffic is encrypted although the plaintext is
> still in the proprietary format.
>
> The data of type-10 messages contains its own header and body
> which are
> processed by Rtvscan.exe. This header features a command field which
> specifies the operation to perform and dictates the format of the body
> data.
>
> The COM_FORWARD_LOG (0x24) command handler contains an improper use of
> strncat that allows a 0x180-byte stack buffer to be overflowed with
> arbitrary data. If the first string in the COM_FORWARD_LOG
> request body
> contains a backslash, then one of the following two strncat calls will
> be performed:
>
> * If the string contains a comma but no double-quote:
>
> strncat(dest, src, 0x17A - strlen(src));
>
> * Otherwise:
>
> strncat(dest, src, 0x17C - strlen(src));
>
> If the length of the source string exceeds 0x17A or 0x17C characters
> respectively, the arithmetic will underflow and result in a very large
> copy size (since the copy size argument is of type size_t, which is
> unsigned). This causes the entire source string to be appended to the
> buffer, allowing the stack to be overwritten with up to 64KB
> of data in
> which only null characters are prohibited.
>
> Rtvscan.exe was compiled with the Visual Studio /GS security option
> which institutes stack canary checks, but this security measure can be
> bypassed by causing a very large overwrite and taking control of an
> exception handler registration.
>
> As a basic workaround against automated exploitation, the management
> interface TCP port may be changed via the
> "HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\Curre
> ntVersion> AgentIPPort" registry value in order to accomplish a very
> slight amount
> of obfuscation. Remote management should continue to function even if
> the new port numbers are not homogeneous across an enterprise.
>
> Protection:
> Retina Network Security Scanner has been updated to identify this
> vulnerability.
> Blink - Endpoint Vulnerability Prevention - preemptively protects from
> this vulnerability.
>
> Vendor Status:
> Symantec has released patches for the affected products. For more
> information, please consult Symantec security advisory SYM06-010:
>
>
> Note that the installation of one or more previous patches may be
> required before the SYM06-010 patch can be applied.
>
> This issue has been assigned CVE-2006-2630.
>
> Credit:
> Derek Soeder
>
> Related Links:
> Retina Network Security Scanner - Free Trial
> ()
> Blink Endpoint Vulnerability Prevention - Free Trial
> ()
>
> Greetings:
> Symantec engineers, for very quickly producing a solid patch. Family
> and friends. Anti-greets to copperhead snakes.
>
> Copyright (c) 1998-2006 eEye Digital Security
> Permission is hereby granted for the redistribution of this alert
> electronically. It is not to be edited in any way without express
> consent of eEye. If you wish to reprint the whole or any part of this
> alert in any other medium excluding electronic medium, please email
> alert@xxxxxxxx for permission.
>
> Disclaimer
> The information within this paper may change without notice. Use of
> this information constitutes acceptance for use in an AS IS condition.
> There are no warranties, implied or express, with regard to this
> information. In no event shall the author be liable for any direct or
> indirect damages whatsoever arising out of or in connection
> with the use
> or spread of this information. Any use of this information is at the
> user's own risk.
>
