• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

Multiple Symantec products are prone to a remote stack buffer-overflow vulnerability.

This issue presents itself in the management interface of affected products. The management interface listens on TCP port 2967, and is often enabled in enterprise settings. Although management communications typically occur over SSL-encrypted sessions, cleartext communications will also be accepted.

Specifically, when the management interface receives COM_FORWARD_LOG commands, an arithmetic operation where the string length of the argument to the command is subtracted from either 0x17A or 0x17C. The result of this operation is directly used as the size parameter of a 'strncpy()' function call. Since 'strncpy()' takes an unsigned integer value, argument string lengths longer than 0x17A or 0x17C will result in a negative value, which will be interpreted as a very large positive size argument. This allows remote attackers to overwrite adjacent memory with approximately 64k of arbitrary data.

This issue allows remote attackers to execute arbitrary machine code with SYSTEM-level privileges, facilitating the complete compromise of affected computers. Reportedly, exploiting this issue does not require user interaction.

Symantec AntiVirus Corporate Edition 10.1 and Symantec Client Security 3.1 are currently known to be vulnerable to this issue. All supported platforms are affected including Microsoft Windows and Novell NetWare.

Affected Products:

• Symantec AntiVirus Corporate Edition 10.0.0
• Symantec AntiVirus Corporate Edition 10.0.2 .2001
• Symantec AntiVirus Corporate Edition 10.0.2.2000
• Symantec AntiVirus Corporate Edition 10.0.2.2010
• Symantec AntiVirus Corporate Edition 10.0.2.2020
• Symantec AntiVirus Corporate Edition 10.1
• Symantec AntiVirus Corporate Edition 10.1.0.394
• Symantec AntiVirus Corporate Edition 10.1.0.400
• Symantec Client Security 3.0.0
• Symantec Client Security 3.0.2.2000
• Symantec Client Security 3.0.2.2001
• Symantec Client Security 3.0.2.2010
• Symantec Client Security 3.0.2.2020
• Symantec Client Security 3.1
• Symantec Client Security 3.1.0.394
• Symantec Client Security 3.1.0.400

References:

• Immunity Partner's: Symantec AntiVirus and Security Client Remote Management Stack Overflow
• Symantec: SYM06-010 - Symantec Client Security and Symantec AntiVirus Elevation of Privile
• Symantec: Symantec AntiVirus Corporate Edition Product Page
• Symantec: Symantec Product Advisories
• Symantec: W32.Spybot.ACYR
• Symantec: W32.Spybot.AMTE
• eEye: EEYEB-20060524

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.