Symantec / Norton Antivirus multiple security vulnerabilities

Published on June 29, 2016

Symantec / Norton Antivirus multiple security vulnerabilities

    Published a working exploit for all versions of antiviruses. Revealed the fact of borrowing code under the GPL




    Yesterday, Tavis Ormandy, from the Project Zero hacker division of Google , made publicly available information about numerous vulnerabilities in Symantec antivirus programs, including vulnerabilities with remote code execution.

    Some experts say that an antivirus program installed on a computer, given its maximum privilege level in the system, may become an additional attack vector, that is, an additional gap in the overall system security. The Symantec example demonstrates this as clearly as possible. In some cases, under Windows, the malicious code is loaded directly into the kernel of the operating system, which leads to kernel memory corruption.

    Symantec programs use the same core, so the methods described work for all Symantec programs, including antivirus programs that are sold under the Norton brand. Among them:

    • Norton Security, Norton 360 and other legacy Norton products (all platforms)
    • Symantec Endpoint Protection (all versions, all platforms)
    • Symantec Email Security (all platforms)
    • Symantec Protection Engine (all platforms)
    • Symantec Protection for SharePoint Servers
    • Other

    Project Zero's Tavis Ormandy made public some examples of some vulnerabilities so that everyone understands the essence of the problem.

    In the case of antivirus software, the problem is how they scan executable files packed with packers like UPX . To check such files, antiviruses use special file unpackers to return the file to its original form. This helps with standard packers, and for the rest, you have to resort to emulation.

    Tavis Ormandy writes that all these methods create excessive complexity and are extremely susceptible to vulnerabilities, because it is very difficult to make such code safe. “We recommend using a sandbox and Security Development Lifecycle, but vendors often cut corners here, ”writes Tevis. Because of this, unpackers become a huge source of vulnerabilities, as has been the case with Comodo , ESET , Kaspersky , Fireeye and many others .

    In the case of Symantec, the situation is even worse, because in its programs, unpackers work in the kernel !

    For example, its unpacker for ASPack allows a trivial buffer overflow if the SizeOfRawData value is larger than the SizeOfImage . When this happens, Symantec transfers the “extra” bytes to the buffer usingmemcpy. Accordingly, we can easily run arbitrary code for execution at the kernel level using the following method:

        char *buf = malloc(SizeOfImage);
        memcpy(&buf[DataSection->VirtualAddress],
               DataSection->PointerToRawData,
               SectionSizeOnDisk);

    Vulnerability CVE-2016-2208 is described in more detail in the bug tracker . On Linux, macOS and Unix operating systems, it causes a net root-level overflow in the Symantec or Norton process, and in the Windows operating system, kernel memory corruption.

    Since Symantec uses a special driver to intercept all system interrupts, it’s enough to exploit the vulnerability by simply sending the victim a file via email or an exploit link. The victim does not need to open the file or click on the link, the antivirus will do everything on its own . This makes it possible even to automatically spread the worm to all systems with the installed Symantec / Norton antivirus!

    Thus, it is possible to easily infect a large number of computers in the local network of an enterprise.

    It is curious that before publishing the information in open access, Tavis Ormandi sent the exploit to the security department by e-mail in a password-protected zip archive, and indicated the password in the text of the letter. But the mail server with the installed “protection” Symantec extracted the password from the text of the letter, applied it to the archive and in the process of studying the code of the exploit crashed itself .

    Tavis Ormandi also talks about vulnerabilities when parsing PowerPoint files and other Microsoft Office files, as well as the vulnerabilities of the BloodHound Heuristics Advanced Heuristic Protection engine. Exploit source code published. This is a 100% working exploit that works against the standard configurations of Norton Antivirus and Symantec Endpoint, and it just works when you send a link by mail or publish a link on a web page (you don’t need to open it).

    In this case, the following products are vulnerable (not all potentially vulnerable Symantec programs are listed here, it is quite possible that the exploit works in others):

    • Norton Antivirus (Mac, Windows)
    • Symantec Endpoint (Mac, Windows, Linux, Unix)
    • Symantec Scan Engine (all platforms)
    • Symantec Cloud / NAS Protection Engine (all platforms)
    • Symantec Email Security (all platforms)
    • Symantec Protection for SharePoint / Exchange / Notes / etc (all platforms)
    • All other Symantec / Norton Carrier, Enterprise, SMB, Home and other anti-virus programs
    • Other

    Under Windows, this leads to the execution of the code at the SYSTEM level, in other operating systems with root rights.

    Some of the Symantec programs are not automatically updated, so system administrators need to take urgent steps to protect their networks. Official Symantec information here .

    UPD. As it turned out , Symantec borrowed code from the open-source libmspack and unrarsrc libraries — and hasn't updated them for at least seven years!