Symantec AntiVirus Library UPX parsing buffer overflow

upx-engine-gain-control (18869) The risk level is classified as HighHigh Risk

Description:

The Symantec AntiVirus Library could allow a remote attacker to gain complete control of the system, caused by a heap-based buffer overflow vulnerability in the DEC2EXE module, which is used to parse UPX (Ultimate Packer for eXecutables) files. By creating a specially-crafted UPX file and sending it to an affected system in an email or over other common protocols, a remote attacker could overflow a buffer and execute arbitrary code on the system once the malicious UPX file is parsed. If successfully exploited, an attacker can gain complete control of the system running the Anti-Virus engine, as well as any system the Anti-Virus engine protects.

Platforms Affected:

  • Symantec, AntiVirus 8.01.434 Corporate
  • Symantec, AntiVirus 8.01.437 Corporate
  • Symantec, AntiVirus 8.01.446 Corporate
  • Symantec, AntiVirus 8.01.457 Corporate
  • Symantec, AntiVirus 8.01.460 Corporate
  • Symantec, AntiVirus 8.01.464 Corporate
  • Symantec, AntiVirus 8.01.471 Corporate Edition
  • Symantec, AntiVirus 8.1.1.314a Corporate
  • Symantec, AntiVirus 8.1.1.319 Corporate
  • Symantec, AntiVirus 8.1.1.323 Corporate
  • Symantec, AntiVirus 8.1.1.329 Corporate
  • Symantec, AntiVirus Scan Engine 4.0
  • Symantec, AntiVirus Scan Engine 4.3
  • Symantec, AntiVirus Scan Engine 4.3.3
  • Symantec, AntiVirus Scan Engine Caching 4.0
  • Symantec, AntiVirus Scan Engine Caching 4.3.3
  • Symantec, AntiVirus Scan Engine NetApp Filer 4.0
  • Symantec, AntiVirus Scan Engine NetApp Filer 4.3.3
  • Symantec, AntiVirus Scan Engine SMTP 3.1.1
  • Symantec, AntiVirus Scan Engine SMTP 3.1.2
  • Symantec, AntiVirus Scan Engine SMTP 3.1.3
  • Symantec, AntiVirus Scan Engine SMTP 3.1.4
  • Symantec, AntiVirus Scan Engine SMTP 3.1.5
  • Symantec, AntiVirus Scan Engine SMTP 3.1.6
  • Symantec, Brightmail AntiSpam 4.0
  • Symantec, Brightmail AntiSpam 5.5
  • Symantec, Client Security 1.0.1_build_8.01.434 MR3
  • Symantec, Client Security 1.0.1_build_8.01.437
  • Symantec, Client Security 1.0.1_build_8.01.446 MR4
  • Symantec, Client Security 1.0.1_build_8.01.457 MR5
  • Symantec, Client Security 1.0.1_build_8.01.460 MR6
  • Symantec, Client Security 1.0.1_build_8.01.464 MR7
  • Symantec, Client Security 1.0.1_build_8.01.471 MR8
  • Symantec, Client Security 1.1.1_build_ 8.1.1.314a MR1
  • Symantec, Client Security 1.1.1_build_ 8.1.1.336 MR5
  • Symantec, Client Security 1.1.1_build_8.1.1.319 MR2
  • Symantec, Client Security 1.1.1_build_8.1.1.323 MR3
  • Symantec, Client Security 1.1.1_build_8.1.1.329 MR4
  • Symantec, Gateway Security 1.0
  • Symantec, Gateway Security 2.0
  • Symantec, Gateway Security 2.0.1
  • Symantec, Mail Security 4.0 Domino
  • Symantec, Mail Security 4.0.2 SMTP
  • Symantec, Mail Security 4.01_build_458 Exchange
  • Symantec, Mail Security 4.01_build_459 Exchange
  • Symantec, Mail Security 4.01_build_461 Exchange
  • Symantec, Mail Security 4.5_build_719 Exchange
  • Symantec, Norton AntiVirus 2.18 build 83 Exchange
  • Symantec, Norton AntiVirus 2004
  • Symantec, Norton AntiVirus 9.0 Macintosh
  • Symantec, Norton Internet Security 2004 Professional
  • Symantec, Norton Internet Security 3.0 Macintosh
  • Symantec, Norton System Works 2004
  • Symantec, Norton System Works 3.0 Macintosh
  • Symantec, SAV Filter For Domino NT 3.0.5 OS400
  • Symantec, SAV Filter For Domino NT 3.0.5 AIX
  • Symantec, SAV Filter For Domino NT 3.1.1
  • Symantec, Web Security 3.0.1.59
  • Symantec, Web Security 3.0.1.60
  • Symantec, Web Security 3.0.1.61
  • Symantec, Web Security 3.0.1.62
  • Symantec, Web Security 3.0.1.63
  • Symantec, Web Security 3.0.1.67
  • Symantec, Web Security 3.0.1.68

Remedy:

For Virtual Patch:

Enable the following checks in the Dynamic ISS Protection platform:
Symantec_UPX_BO

For Manual Protection:

For Symantec security products:
Apply the appropriate Updates and Maintenance Releases, as listed in Symantec Security Response SYM05-003. See References.

Consequences:

Gain Access

References:

  • Internet Security Systems Protection Advisory February 8, 2005, Symantec AntiVirus Library Heap Overflow at http://xforce.iss.net/xforce/alerts/id/187.
  • Symantec Security Response SYM05-003, Symantec UPX Parsing Engine Heap Overflow at http://www.symantec.com/avcenter/security/Content/2005.02.08.html.
  • BID-12492: Symantec UPX Parsing Engine Remote Heap Overflow Vulnerability
  • CVE-2005-0249: Heap-based buffer overflow in the DEC2EXE module for Symantec AntiVirus Library allows remote attackers to execute arbitrary code via a UPX compressed file containing a negative virtual offset to a crafted PE header.
  • SECTRACK ID: 1013133: Symantec Norton Anti-Virus Buffer Overflow in DEC2EXE in Parsing UPX Compressed Files Lets Remote Users Execute Arbitrary Code
  • US-CERT VU#107822: Symantec products vulnerable to buffer overflow via a specially crafted UPX file

Reported:

Feb 08, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page