SecurityTracker: Symantec Norton Anti-Virus Buffer Overflow in DEC2EXE in Parsing UPX Compressed Files Lets Remote Users Execute Arbitrary Code

Overview
Symantec resolved a potential remote access compromise vulnerability reported by ISS
X-Force. The vulnerability was identified in an early version of a Symantec antivirus
scanning module responsible for parsing UPX compressed files that is still in limited
use in some Symantec security products.

The vulnerable component fails to do proper bounds checks when analyzing certain
container files for virus content. An attacker sending a specifically crafted UPX
file could potentially compromise the targeted system.

Affected Products
Enterprise Products

Norton AntiVirus for Microsoft Exchange 2.1 prior to build 2.18.85

Symantec Mail Security for Microsoft Exchange 4.0 prior to build 4.0.10.465

Symantec Mail Security for Microsoft Exchange 4.5 prior to build 4.5.3

Symantec AntiVirus/Filtering for Domino NT 3.1 prior to build 3.1.1

Symantec Mail Security for Domino 4.0 prior to build 4.0.1

Symantec AntiVirus/Filtering for Domino Ports 3.0
(AIX) prior to build 3.0.6
(OS400, Linux, Solaris) prior to build 3.0.7

Symantec AntiVirus Scan Engine 4.3 prior to build 4.3.3

Symantec AntiVirus for Network Attached Storage prior to build 4.3.3

Symantec AntiVirus for Caching prior to build 4.3.3

Symantec AntiVirus for SMTP 3.1 prior to build 3.1.7

Symantec Mail Security for SMTP 4.0 prior to build 4.0.2

Symantec Web Security 3.0 prior to build 3.0.1.70

Symantec BrightMail AntiSpam 4.0 All

Symantec BrightMail AntiSpam 5.5 All

Symantec AntiVirus Corporate Edition 9.0 prior to build 9.01.1000 (MR 1 not available in all regions)

Symantec AntiVirus Corporate Edition 8.01, 8.1.1

Symantec Client Security 2.0 prior to build 9.01.1000 (MR 1 not available in all regions)

Symantec Client Security 1.0, 1.0

Symantec Gateway Security 2.0, 2.0.1 - 5400 Series

Symantec Gateway Security 1.0 - 5300 Series

Consumer Products

Symantec Norton Antivirus 2004 for Windows
Symantec Norton Internet Security 2004 (pro) for Windows
Symantec Norton System Works 2004 for Windows
Symantec Norton Antivirus 2004 for Macintosh
Symantec Norton Internet Security 2004 for Macintosh
Symantec Norton System Works 2004 for Macintosh
Symantec Norton Antivirus 9.0 for Macintosh
Symantec Norton Internet Security for Macintosh 3.0
Symantec Norton System Works for Macintosh 3.0

Non-Vulnerable Products (initial non-vulnerable build where indicated)
Enterprise Products

Norton AntiVirus for Microsoft Exchange 2.1 2.18.85
Symantec Mail Security for Microsoft Exchange 4.0 4.0.10.465
Symantec Mail Security for Microsoft Exchange 4.5 4.5.3
Symantec Mail Security for Microsoft Exchange 4.6 All
Symantec AntiVirus/Filtering for Domino NT 3.1 3.1.1
Symantec Mail Security for Domino 4.0 4.0.1
Symantec Mail Security for Domino 4.1 All
Symantec AntiVirus/Filtering for Domino Ports 3.0
(AIX) 3.0.6
(OS400, Linux, Solaris) 3.0.7
Symantec AntiVirus Scan Engine 4.3 4.3.3
Symantec AntiVirus for Network Attached Storage 4.3.3
Symantec AntiVirus for Caching 4.3.3
Symantec AntiVirus for Microsoft Office
SharePoint Portal Server 2003 All
Symantec AntiVirus for SMTP 3.1 3.1.7
Symantec Mail Security for SMTP 4.0 4.0.2
Symantec Mail Security for SMTP 4.1 All
Symantec Web Security 3.0 3.0.1.70
Symantec BrightMail AntiSpam 6.0 All
Symantec AntiVirus Corporate Edition 9.0 9.01.1000
Symantec AntiVirus Corporate Edition 8.1.1 8.1.1.366 MR 6
Symantec AntiVirus Corporate Edition 8.0 8.01.501 MR9
Symantec Client Security 2.0 9.01.1000
Symantec AntiVirus for HandHelds - Corporate Edition (does not install the DEC2EXE module)
Symantec Client Security for Nokia Communicator (does not install the DEC2EXE module)

Consumer Products
Symantec Norton Antivirus 2003
Symantec Norton Internet Security 2003 (pro)
Symantec Norton System Works 2003
Symantec Norton AntiVirus 2005
Symantec Norton Internet Security 2005
Symantec Norton System Works 2005 (Premier)
Symantec AntiVirus for Handhelds (does not install the DEC2EXE module)

Details
ISS X-Force notified Symantec of a vulnerability discovered in the DEC2EXE parsing
engine module used in earlier versions of the Symantec scan engine. The vulnerable
DEC2EXE engine contained a heap overflow that could be initiated by sending a
specifically crafted UPX file that would be parsed by the vulnerable DEC2EXE engine.
If successfully exploited, the attack could potentially result in remote arbitrary
code execution and possible compromise of the targeted system.

Symantec Response
Symantec confirmed the vulnerability ISS identified in the original DEC2EXE engine.
The DEC2EXE engine is no longer required to parse compressed files. Prior to ISS
contacting Symantec with this vulnerability, Symantec had already removed the DEC2EXE
engine from the scan engine upgrades implemented in the majority of Symantec
products. Also, Symantec had planned the DEC2EXE engine removal from all affected
Symantec product versions during upcoming maintenance updates.

Recommended Upgrades
As a part of normal best practices, users should keep vendor-supplied patches for all
application software and operating systems up-to-date. Symantec strongly recommends
customers, if they are not already running a current non-vulnerable product
version/build, upgrade to their appropriate product update immediately to protect
against these types of threats.

Symantec product engineers have developed and released updates or Maintenance
Releases for all impacted product versions that were not already upgraded in the
latest product build release. Updates and Maintenance Releases are available either
through Symantec's LiveUpdate for those products that have LiveUpdate capability or
from the Symantec Product Support site at http://www.symantec.com/techsupp.

Symantec Gateway Security 5300 Series and
Symantec Gateway Security 5400 Series upgrades:

Symantec has tested and posted hotfixes to address this issue for the affected
Symantec Gateway Security 5300 and 5400 Series appliances. The fix removes the legacy
DEC2EXE engine from the affected products and upgrades the scan engine to a new
version. Symantec strongly recommends customers, if they are not already running a
current non-vulnerable product version/build, upgrade to their appropriate product
update immediately to protect against these types of threats.

Product specific hotfixes are available through the Symantec Enterprise Support site
http://www.symantec.com/techsupp.

Symantec Antivirus Corporate Edition and
Symantec Client Security upgrades:

Symantec has tested and posted Maintenance Releases to address this issue in affected
Symantec AntiVirus Corporate Edition versions for both the standalone product and the
integrated Symantec Client Security. The Maintenance Release removes the DEC2EXE
engine from the affected products and upgrades the scan engine to a new version.

Symantec strongly recommends customers, if they are not already running a current
non-vulnerable product version/build, upgrade to their appropriate product update
immediately to protect against these types of threats.

Customers can obtain a Maintenance Release update through the Symantec Enterprise
Support site http://www.symantec.com/techsupp.

Symantec is not aware of any active attempts against or organizations impacted by
this issue.

Mitigations

Symantec AntiVirus Corporate Edition 9.0 and Symantec Client Security 2.0

Maintenance Release 1(MR1) (not available in all regions) or Maintenance Release 2
(MR2) disables the installed DEC2EXE engine and is NOT vulnerable to this exploit
since the DEC2EXE engine is not called to parse UPX files. The latest Maintenance
Release (MR3) removes the DEC2EXE engine, which Symantec strongly recommends.
However, some customers may not be able to install the latest MR3 immediately.

If customers have at least upgraded to an MR in which the DEC2EXE engine is disabled,
they are not susceptible to this particular threat but should still upgrade to MR3 at
their earliest opportunity.

The following program versions identify the Maintenance Release installed.

9.0.1.1000 -> MR1 (not available in all regions)
9.0.2.1000 -> MR2

Symantec BrightMail AntiSpam versions 4.0 and 5.5

The DEC2EXE module can be easily and safely disabled through the brightmail.cfg file
on both Solaris and Windows platforms.

For Solaris:

1. Locate brightmail.cfg .
The default location for this file is /opt/mailwall

2. Edit brightmail.cfg in the following way:
In the section labeled "Symantec 3 decomposer", remove the following line:
blsymdec3Engine: libdec2exe.so|5

3. Restart BrightMail to reload the config file
" hup bmserver".

For Windows:

1. Close any open instance of the Brightmail Administration Console.
2. Locate brightmail.cfg .
The default location for this file is c:\program files\brightmail\config

3. Edit brightmail.cfg in the following way:
In the section labeled "Symantec 3 decomposer", remove the following line:
blsymdec3Engine: libdec2exe.dll|5

4. Restart the Brightmail AntiVirus Cleaner and the Brightmail Server services.

CVE
The Common Vulnerabilities and Exposures (CVE) initiative has not yet assigned a CVE
Candidate to the ISS X-Force reported issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security problems. This
section will be revised when the CVE Candidate is assigned.

Credit:
Symantec appreciates the actions of the X-Force research team and X-Force's Alex
Wheeler in particular for identifying this issue to Symantec and their cooperation
and coordination while Symantec worked to resolve all issues.

Symantec takes the security and proper functionality of its products very seriously.
As founding members of the Organization for Internet Safety (OISafety), Symantec
follows the principles of responsible disclosure. Symantec also subscribes to the
vulnerability guidelines outlined by the National Infrastructure Advisory Council
(NIAC). Please contact secure@symantec.com if you feel you have discovered a
potential or actual security issue with a Symantec product. A Symantec Product
Security team member will contact you regarding your submission.

Symantec has developed a Product Vulnerability Handling Process document outlining
the process we follow in addressing suspected vulnerabilities in our products. We
support responsible disclosure of all vulnerability information in a timely manner to
protect Symantec customers and the security of the Internet as a result of
vulnerability. This document is available from the location provided below.

Symantec strongly recommends using encrypted email for reporting vulnerability
information to secure@symantec.com. The Symantec Product Security PGP key can be
obtained from the location provided below.
Symantec-Product-Vulnerability-Response Symantec Vulnerability Response Policy Symantec Product Vulnerability Response PGP Key Symantec Product Vulnerability Response PGP Key

Copyright (c) 2005 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not
edited in any way unless authorized by Symantec Security Response. Reprinting the
whole or part of this alert in any medium other than electronically requires
permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing
based on currently available information. Use of the information constitutes
acceptance for use in an AS IS condition. There are no warranties with regard to this
information. Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use of, or reliance
on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are
registered trademarks of Symantec Corp. and/or affiliated companies in the United
States and other countries. All other registered and unregistered trademarks
represented in this document are the sole property of their respective
companies/owners.

Last modified on: Tuesday, 08-Feb-05 13:43:44

Go to the Top of This SecurityTracker Archive Page