Critical vulnerability of Symantec Endpoint antivirus allows remote code execution

Researchers at Google Project Zero Team have published a detailed analysis of the security bugs contained in the Symantec Endpoint Protection antivirus engine in their blog. According to experts, the product contains many critical vulnerabilities, some of which can lead to remote code execution or remote kernel memory corruption.

What is the problem

Researchers at Google Project Zero have posted vulnerability information CVE-2016-2208. According to experts, the error lies in the incorrect work of the tools used by the Symantec developers to unpack the packaged executable files.
')
The found vulnerabilities are associated with buffer overflow errors and, as a result of successful operation, can lead to remote code execution. Since the Symantec anti-virus engine runs its unpackers right in the kernel, code execution can occur with high system privileges. The author of a blog post on Google, Tavis Ormandi, was able to force the antivirus to execute the following code:

char *buf = malloc(SizeOfImage); memcpy(&buf[DataSection->VirtualAddress], DataSection->PointerToRawData, SectionSizeOnDisk); 

Omandi has created an exploit using this vulnerability. The expert notes that the attacker does not even need to force the victim to somehow interact with the file to activate it — simply send it by email or create a hyperlink to it and ensure that the antivirus checks it, for example, specifying it in the letter.

Thus, vulnerability carries a serious threat - with its help, cybercriminals can successfully remotely attack corporate systems of even the largest companies.

In addition, Symantec's antivirus product implements an I / O abstraction layer that PowerPoint uses to process files. This mechanism contains an error due to which an attacker can trigger a buffer overflow. The applicability of this method of attack, however, is limited to cases where the antivirus operates in the “Bloodhound Heuristics” mode. Ormandy has posted a link to an exploit using this error.



Google researchers note that Symantec developers have used open source libraries like libmspack and unrarsrc, but have not updated their code for at least seven years.

What products are vulnerable

Symantec uses the same “engine” for a whole line of its anti-virus products, which are sold under the brand names Symantec and Norton. Among the vulnerable products are:

• Norton Security, Norton 360 and other legacy products of Norton products for all platforms;
• Symantec Endpoint Protection (all versions and platforms);
• Symantec Email Security (all platforms);
• Symantec Protection Engine (all platforms);
• Symantec Protection for SharePoint Servers
• Etc.

Some of these products cannot be updated automatically, so their users and administrators need to take steps to protect their systems on their own. Symantec has published relevant recommendations on its website.

In addition to the detailed description of the CVE-2016-2208 vulnerability, Google researchers discovered other serious security bugs leading to buffer overflow, memory corruption, and other problems.

How to protect

To prevent possible problems related to the security of protection tools, experts from Positive Technologies recommend using tools to isolate such solutions from other systems while preserving their functionality. For example, this system can detect malicious files and links PT MultiScanner .

Earlier in our blog, we published an article reviewing known vulnerabilities in popular anti-virus programs.

For example, it is not the first time when researchers find serious vulnerabilities in the Symantec Endpoint Protection product. Previously, security specialists were able to detect serious errors that allowed attackers to bypass authentication, privilege escalation, read and write files, and also implement SQL injections.

Other antivirus solutions also did not avoid such problems. So in early February 2016, the same researcher Tavis Ormandi discovered serious vulnerabilities in the antivirus product Malwarebytes. Malwarebytes Antivirus updates were not signed with the company's digital signature and downloaded via an unprotected HTTP connection - this made users susceptible to MiTM attacks. In April 2016, information was published about a critical vulnerability in TrendMicro antivirus, which allowed an attacker to perform remote code execution.

Earlier in 2015, researchers from Google Project Zero talked about a serious vulnerability in ESET NOD32 Antivirus, which allowed an attacker to read, modify, and delete any files on computers that have antivirus installed.

In the same year, critical vulnerabilities were found in the TrueCrypt cryptosofert and Avast antivirus, while the BitDefender antivirus company fell victim to a hacker attack, which resulted in the stealing of user passwords that were stored in the clear.