TUCoPS :: Security App Flaws :: bt-21920.htm

Symantec ConsoleUtilities ActiveX Control Buffer Overflow
NSOADV-2009-001: Symantec ConsoleUtilities ActiveX Control Buffer Overflow
NSOADV-2009-001: Symantec ConsoleUtilities ActiveX Control Buffer Overflow


_________________________________________
Security Advisory NSOADV-2009-001
_________________________________________
_________________________________________


  Title:                  Symantec ConsoleUtilities ActiveX Control
                          Buffer Overflow
  Severity:               Critical
  Advisory ID:            NSOADV-2009-001
  Found Date:             09.09.2009
  Date Reported:          15.09.2009
  Release Date:           02.11.2009
  Author:                 Nikolas Sotiriu
  Mail:                   nso-research at sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2009-001.txt 
Vendor: Symantec (http://www.symantec.com/) 
  Affected Products:      Symantec Altiris Notification Server 6.x
                          Symantec Management Platform 7.0.x
                          Symantec Altiris Deployment Solution 6.9.x
  Affected Component:     ConsoleUtilities ActiveX Control V.6.0.0.1846
  Not Affected Component: ConsoleUtilities ActiveX Control V.6.0.0.2000
  Remote Exploitable:     Yes
  Local Exploitable:      No
  CVE-ID:                 CVE-2009-3031
  Patch Status:           Vendor released an patch
  Discovered by:          Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html 
  Thanks to:              Thierry Zoller: For the permission to use his
                                          Policy



Background:
==========
Altiris service-oriented management solutions provide a modular and
future-proof approach to managing highly diverse and widely distributed
IT infrastructures. They are open solutions that enable lifecycle
integration of client, handheld, server, network and other IT assets
with audit-ready security and automated operation.

(Product description from Symantec Website)



Description:
===========
During the first access of the Management Website an ActiveX Control
will be installed (AeXNSConsoleUtilities.dll), in which the function
"BrowseAndSaveFile" is vulnerable to a stack based buffer overflow.

Name:             ConsoleUtilities Class
Vendor:           Altiris, Inc.
Type:             ActiveX-Steuerelement
Version:          6.0.0.1846
GUID:             {B44D252D-98FC-4D5C-948C-BE868392A004}
File:             AeXNSConsoleUtilities.dll
Folder:           C:\WINDOWS\system32



Proof of Concept :
=================

NSOADV-2009-001





Symantec ConsoleUtilities ActiveX Control Buffer overflow PoC

Use it only for education or ethical pentesting! The author accepts no
liability for damage caused by this tool.
Nikolas Sotiriu (lofi)
(http://www.sotiriu.de/adv/NSOADV-2009-001.txt), 02.11.2009
 


Some RET Infos:

Overwrite EIP with AAAA (crash)

EIP=String(2, unescape("%u4141"))



XP SP2 Ger shell32.dll JMP ESP

EIP=unescape("%uaf0a%u77d5")


	
XP SP3 Ger shell32.dll JMP ESP

EIP=unescape("%u30D7%u7E68")


----------------------------------------------------------------


 
    DoS

 
    Windows XP SP2 German

 
    Windows XP SP3 German

 


src="http://sotiriu.de/images/logo_wh_80.png"> 




Solution:
========
Symantec Security Advisory:
http://tinyurl.com/y9fakve 

Hotfix (KB49568): Deployment Solution 6.9 SP3
https://kb.altiris.com/display/1n/articleDirect/index.asp?aid=49568

Hotfix (KB49389): Notification Server 6.x
                  Symantec Management Platform 7.x
https://kb.altiris.com/display/1n/articleDirect/index.asp?aid=49389



Disclosure Timeline (YYYY/MM/DD):
================================
2009.09.09: Vulnerability found
2009.09.15: Sent PoC, Advisory, Disclosure policy and planned disclosure
            date (2009.10.01) to Vendor
2009.09.15: Vendor response asking for resending the poc in a zipped and
            password protected file (AV problem)
2009.09.15: Resending zipped and password protected
2009.09.17: Symantec Security Response Team verifies the vulnerability
2009.09.22: Symantec product team verifies the finding
2009.09.29: Ask for a status update, because the planned release date is
            2009.10.01.
2009.09.29: Symantec Security Response Team tries to get a time line
            from the product team.
2009.09.30: Changed release date to 2009.10.08 until a time line is
            known
2009.10.07: Ask for a status update, because the planned release date is
            2009.10.08.
2009.10.07: Symantec Security Response Team informs me if all goes well
            they need one more week.
2009.10.07: Changed release date to 2009.10.15.
2009.10.14: Ask for a status update, because the planned release date is
            2009.10.15.
2009.10.14: Symantec Security Response Team informs me that they have
            an issue with an update and they need one more week.
2009.10.14: Changed release date to 2009.10.22.
2009.10.21: Ask for a status update, because the planned release date is
            2009.10.22.
2009.10.21: Symantec Security Response Team informs me that they have
            an issue with an update.
2009.10.21: Changed release date to 2009.10.29.
2009.10.28: Ask for a status update, because the planned release date is
            2009.10.29.
2009.10.29: Symantec Security Response Team informs me that the patch
            will be released on 2009.11.02 at 9am PST.
2009.11.02: Symantec Security Response Team informs me that the patch
            and the Advisory is released.
2009.11.02: Release of this Advisory

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH