TUCoPS :: Security App Flaws :: hack0985.htm

Symantec Virus Detection(Free ActiveX) - Remote Buffer Overflow
Symantec Virus Detection(Free ActiveX) - Remote Buffer Overflow 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:    Symantec Virus Detection(Free ActiveX)
Vendors: 
http://security.symantec.com/sscv6/vc_scan.asp?langid=ie&venid=sy m&plfid=23&pkj=WJDORSJRFSKLUKUMXCC&vc_scanstate=2
Platforms:        Windows
Bug:                 Buffer Overflow
Risk:                 High - Running Arbitary Code
Exploitation:    Remote with browser
Date:                1 Apr 2004
Author:             Rafel Ivgi, The-Insider
e-mail:              the_insider@mail.com 
web:                 http://theinsider.deep-ice.com 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

Symantec Virus Detection checks for known viruses and Trojan horses, 
including top
threats identified by Symantec Security Response.
Virus Detection provides an analysis of your results and offers suggestions 
for
further action. It does not examine compressed files or fix infected files.
When Symantec receives notification about a new virus, we develop and post a
solution as quickly as possible. We are committed to providing swift 
responses to
all virus threats, including Trojan horses.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

Symantec Virus Detection installs and registers "rufsi.dll" which registers 
the
following COM objects:

Symantec.SymVAFileQuery.1 - Vulnerable
Symantec.SymVARegQuery1
Symantec.SymUtility1

After the first time Symantec Virus Detection was used, this type of object 
can be created
localy & remotely!

For Example:
Set object = CreateObject("Symantec.SymVAFileQuery.1" )

The vulnerability appears in the "GetPrivateProfileString" function of the 
object.
The "GetPrivateProfileString" recieves the following parameters:
object.GetPrivateProfileString(bstrSection As String, bstrKey As String)

Which means that the following assignment:
object.GetPrivateProfileString "file", [Really Long String - 'A'>740000]
Will cause a buffer overflow, allowing a remote user to run arbitary code.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

This is Proof Of Concept Code:
------------------- CUT HERE -------------------

------------------- CUT HERE -------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- 
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com 

"Only the one who sees the invisible , Can do the Impossible."

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH