Symantec AntiVirus Library UPX parsing buffer overflow

upx-engine-gain-control (18869)

High Risk

Description:

The Symantec AntiVirus Library could allow a remote attacker to gain complete control of the system, caused by a heap-based buffer overflow vulnerability in the DEC2EXE module, which is used to parse UPX (Ultimate Packer for eXecutables) files. By creating a specially-crafted UPX file and sending it to an affected system in an email or over other common protocols, a remote attacker could overflow a buffer and execute arbitrary code on the system once the malicious UPX file is parsed. If successfully exploited, an attacker can gain complete control of the system running the Anti-Virus engine, as well as any system the Anti-Virus engine protects.

Consequences:

Gain Access

Remedy:

For Virtual Patch:

Enable the following checks in the Dynamic ISS Protection platform:
Symantec_UPX_BO

For Manual Protection:

For Symantec security products:
Apply the appropriate Updates and Maintenance Releases, as listed in Symantec Security Response SYM05-003. See References.

References:

• Internet Security Systems Protection Advisory February 8, 2005: Symantec AntiVirus Library Heap Overflow.
• Symantec Security Response SYM05-003: Symantec UPX Parsing Engine Heap Overflow.
• BID-12492: Symantec UPX Parsing Engine Remote Heap Overflow Vulnerability
• CVE-2005-0249: Heap-based buffer overflow in the DEC2EXE module for Symantec AntiVirus Library allows remote attackers to execute arbitrary code via a UPX compressed file containing a negative virtual offset to a crafted PE header.
• SECTRACK ID: 1013133: Symantec Norton Anti-Virus Buffer Overflow in DEC2EXE in Parsing UPX Compressed Files Lets Remote Users Execute Arbitrary Code
• US-CERT VU#107822: Symantec products vulnerable to buffer overflow via a specially crafted UPX file

Platforms Affected:

• Symantec AntiVirus 8.01.434 Corporate
• Symantec AntiVirus 8.01.437 Corporate
• Symantec AntiVirus 8.01.446 Corporate
• Symantec AntiVirus 8.01.457 Corporate
• Symantec AntiVirus 8.01.460 Corporate
• Symantec AntiVirus 8.01.464 Corporate
• Symantec AntiVirus 8.01.471 Corporate Edition
• Symantec AntiVirus 8.1.1.314a Corporate
• Symantec AntiVirus 8.1.1.319 Corporate
• Symantec AntiVirus 8.1.1.323 Corporate
• Symantec AntiVirus 8.1.1.329 Corporate
• Symantec AntiVirus Scan Engine 4.0
• Symantec AntiVirus Scan Engine 4.3
• Symantec AntiVirus Scan Engine 4.3.3
• Symantec AntiVirus Scan Engine Caching 4.0
• Symantec AntiVirus Scan Engine Caching 4.3.3
• Symantec AntiVirus Scan Engine NetApp Filer 4.0
• Symantec AntiVirus Scan Engine NetApp Filer 4.3.3
• Symantec AntiVirus Scan Engine SMTP 3.1.1
• Symantec AntiVirus Scan Engine SMTP 3.1.2
• Symantec AntiVirus Scan Engine SMTP 3.1.3
• Symantec AntiVirus Scan Engine SMTP 3.1.4
• Symantec AntiVirus Scan Engine SMTP 3.1.5
• Symantec AntiVirus Scan Engine SMTP 3.1.6
• Symantec Brightmail AntiSpam 4.0
• Symantec Brightmail AntiSpam 5.5
• Symantec Client Security 1.0.1_build_8.01.434 MR3
• Symantec Client Security 1.0.1_build_8.01.437
• Symantec Client Security 1.0.1_build_8.01.446 MR4
• Symantec Client Security 1.0.1_build_8.01.457 MR5
• Symantec Client Security 1.0.1_build_8.01.460 MR6
• Symantec Client Security 1.0.1_build_8.01.464 MR7
• Symantec Client Security 1.0.1_build_8.01.471 MR8
• Symantec Client Security 1.1.1_build_ 8.1.1.314a MR1
• Symantec Client Security 1.1.1_build_ 8.1.1.336 MR5
• Symantec Client Security 1.1.1_build_8.1.1.319 MR2
• Symantec Client Security 1.1.1_build_8.1.1.323 MR3
• Symantec Client Security 1.1.1_build_8.1.1.329 MR4
• Symantec Gateway Security 1.0
• Symantec Gateway Security 2.0
• Symantec Gateway Security 2.0.1
• Symantec Mail Security 4.0 Domino
• Symantec Mail Security 4.0.2 SMTP
• Symantec Mail Security 4.01_build_458 Exchange
• Symantec Mail Security 4.01_build_459 Exchange
• Symantec Mail Security 4.01_build_461 Exchange
• Symantec Mail Security 4.5_build_719 Exchange
• Symantec Norton AntiVirus 2.18 build 83 Exchange
• Symantec Norton AntiVirus 2004
• Symantec Norton AntiVirus 9.0 Macintosh
• Symantec Norton Internet Security 2004 Professional
• Symantec Norton Internet Security 3.0 Macintosh
• Symantec Norton System Works 2004
• Symantec Norton System Works 3.0 Macintosh
• Symantec SAV Filter For Domino NT 3.0.5 OS400
• Symantec SAV Filter For Domino NT 3.0.5 AIX
• Symantec SAV Filter For Domino NT 3.1.1
• Symantec Web Security 3.0.1.59
• Symantec Web Security 3.0.1.60
• Symantec Web Security 3.0.1.61
• Symantec Web Security 3.0.1.62
• Symantec Web Security 3.0.1.63
• Symantec Web Security 3.0.1.67
• Symantec Web Security 3.0.1.68

Reported:

Feb 08, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page