<<< Date Index >>>     <<< Thread Index >>>

SYM05-003 Symantec UPX Parsing Engine Heap Overflow




Symantec Security Advisory

SYM05-003

08 February, 2005 

Symantec UPX Parsing Engine Heap Overflow 

Revision History
2/9/2005 - Updated Vulnerability details and mitigations. Updated CVE Candidate 
Number
2/11/2005 - Configuration modifications tested and added to disable vulnerable 
module in SAVCE and SCS. 
URL to Technical Support KB with details.

Risk Impact
High

Overview
Symantec resolved a potential remote access compromise vulnerability reported 
by ISS X-Force.  The vulnerability was identified in an early version of a 
Symantec antivirus scanning module responsible for
parsing UPX compressed files that is still in limited use in some Symantec 
security products.  
The vulnerable component fails to do proper bounds checks when analyzing 
certain container files for
virus content. An attacker sending a specifically crafted UPX file could 
potentially compromise the
targeted system. 
 
NOTE:  Users of affected products should ensure they are running a 
non-vulnerable product build or have
installed recommended hotfixes.
If unable to update at this time, customers may implement the configuration 
procedures to disable the
affected DEC2EXE module in those products, Symantec BrightMail, Symantec 
AntiVirus Corporate Edition and
Symantec Client Security that are configurable as documented in this advisory 
and associated product
support Knowledge Base.

Symantec has NOT seen any active attempts against or organizations impacted by 
this issue.  However,
Symantec Security Response created Bloodhound.Exploit.26, a heuristic detection 
for attempts to exploit the DEC2EXE.dll heap overflow vulnerability.  Virus 
definitions version 70209af (extended version 2/9/2004 rev. 32) or greater 
contain this heuristic and are available through Symantec LiveUpdate or 
Symantec's Intelligent Updater.

Vulnerable Products (vulnerable builds/Maintenance Releases (MR) where 
indicated) 

Enterprise Products
Norton AntiVirus for Microsoft Exchange 2.1                     build 2.18.83
Symantec Mail Security for Microsoft Exchange 4.01              build 461
Symantec Mail Security for Microsoft Exchange 4.01              build 459
Symantec Mail Security for Microsoft Exchange 4.01              build 458
Symantec Mail Security for Microsoft Exchange 4.5               build 719
Symantec AntiVirus/Filtering for Domino NT 3.1                          prior 
to build 3.1.1
Symantec Mail Security for Domino 4.0                           prior to build 
4.0.1
Symantec AntiVirus/Filtering for Domino Ports 3.0
        (AIX)                                                   prior to build 
3.0.6
        (OS400, Linux, Solaris)                                 prior to build 
3.0.7
Symantec AntiVirus Scan Engine 4.0.X                            all versions
Symantec AntiVirus Scan Engine 4.3.X                            prior to build 
4.3.3
Symantec AntiVirus Scan Engine for ISA 4.0.X                    all versions
Symantec AntiVirus Scan Engine for ISA 4.3.x                    prior to build 
4.3.3
Symantec AntiVirus Scan Engine for Netapp Filer 4.0.X           all versions
Symantec AntiVirus Scan Engine for Netapp Filer 4.3.X           prior to build 
4.3.3
Symantec AntiVirus Scan Engine for Netapp NetCache 4.0.X        all versions
Symantec AntiVirus Scan Engine for Netapp NetCache 4.3.X        prior to build 
4.3.3
Symantec AntiVirus Scan Engine for Bluecoat 4.0.X               all versions
Symantec AntiVirus Scan Engine for Bluecoat 4.3.X               prior to build 
4.3.3
Symantec AntiVirus Scan Engine for Filers 4.3.X                 prior to build 
4.3.3
Symantec AntiVirus Scan Engine for Caching 4.3.X                prior to build 
4.3.3
                
Symantec AntiVirus for SMTP 3.1.X                               prior to build 
3.1.7
Symantec Mail Security for SMTP 4.0                             prior to build 
4.0.2
Symantec Web Security 3.0 .1.X                                  prior to build 
3.0.1.70
Symantec BrightMail AntiSpam 4.0                                all
Symantec BrightMail AntiSpam 5.5                                all
Symantec AntiVirus Corporate Edition 8.1.1              build 8.1.1.314a
Symantec AntiVirus Corporate Edition 8.1.1              build 8.1.1.319
Symantec AntiVirus Corporate Edition 8.1.1              build 8.1.1.323
Symantec AntiVirus Corporate Edition 8.1.1              build 8.1.1.329

Symantec AntiVirus Corporate Edition 8.01                       build 8.01.434
Symantec AntiVirus Corporate Edition 8.01                       build 8.01.437
Symantec AntiVirus Corporate Edition 8.01                       build 8.01.446
Symantec AntiVirus Corporate Edition 8.01                       build 8.01.457
Symantec AntiVirus Corporate Edition 8.01                       build 8.01.460
Symantec AntiVirus Corporate Edition 8.01                       build 8.01.464
Symantec AntiVirus Corporate Edition 8.01               build 8.01.471
Symantec Client Security 1.1.1          MR1 build 8.1.1.314a
Symantec Client Security 1.1.1          MR2 build 8.1.1.319
Symantec Client Security 1.1.1          MR3 build 8.1.1.323
Symantec Client Security 1.1.1          MR4 build 8.1.1.329
Symantec Client Security 1.1.1          MR5 build 8.1.1.336
Symantec Client Security 1.0.1                                  MR3 build 
8.01.434
Symantec Client Security 1.0.1                                  build 8.01.437
Symantec Client Security 1.0.1                                  MR4 build 
8.01.446
Symantec Client Security 1.0.1                                  MR5 build 
8.01.457
Symantec Client Security 1.0.1                                  MR6 build 
8.01.460
Symantec Client Security 1.0.1                                  MR7 build 
8.01.464
Symantec Client Security 1.0.1                                  MR8 build 
8.01.471
Symantec Gateway Security 2.0, 2.0.1 - 5400 Series
Symantec Gateway Security 1.0 - 5300 Series

Consumer Products
Symantec Norton Antivirus 2004 for Windows 
Symantec Norton Internet Security 2004 (pro) for Windows
Symantec Norton System Works 2004 for Windows
Symantec Norton Antivirus 8.0 for Macintosh
Symantec Norton Internet Security 2.0 for Macintosh
Symantec Norton System Works 7.0 for Macintosh
Symantec Norton Antivirus 9.0 for Macintosh
Symantec Norton Internet Security for Macintosh 3.0
Symantec Norton System Works for Macintosh 3.0

Not-Vulnerable Products (initial non-vulnerable build/Maintenance Release (MR) 
where indicated) 

Enterprise Products
Norton AntiVirus for Microsoft Exchange 2.18            2.18.82 and earlier
Norton AntiVirus for Microsoft Exchange 2.18            2.18.85 and later
Symantec Mail Security for Microsoft Exchange 4.0       build 456 and earlier
Symantec Mail Security for Microsoft Exchange 4.0       build 463
Symantec Mail Security for Microsoft Exchange 4.0       build 465
Symantec Mail Security for Microsoft Exchange 4.5               build 736
Symantec Mail Security for Microsoft Exchange 4.5               build 741
Symantec Mail Security for Microsoft Exchange 4.5               build 743
Symantec Mail Security for Microsoft Exchange 4.6       
Symantec AntiSpam for SMTP 3.1
Symantec AntiVirus/Filtering for Domino NT 3.1                          3.1.1
Symantec Mail Security for Domino 4.0                           4.0.1
Symantec Mail Security for Domino 4.1                           All
Symantec AntiVirus/Filtering for Domino Ports 3.0
        (AIX)                                                   3.0.6
        (OS400, Linux, Solaris)                                 3.0.7
Symantec AntiVirus Scan Engine 4.3                              4.3.3
Symantec AntiVirus Scan Engine for ISA 4.3.X                    4.3.3
Symantec AntiVirus Scan Engine for Netapp Filer 4.3.X           4.3.3   
Symantec AntiVirus Scan Engine for Netapp NetCache 4.3.X        4.3.3
Symantec AntiVirus for Caching                                  4.3.3
Symantec AntiVirus Scan Engine for Microsoft Portal Server 4.3.X
Symantec AntiVirus Scan Engine for Bluecoat 4.3.X               4.3.3
Symantec AntiVirus Scan Engine for Filers 4.3.X                 4.3.3
Symantec AntiVirus for Microsoft Office
SharePoint Portal Server 2003                                   All
Symantec AntiVirus for SMTP 3.1                         3.1.7
Symantec Mail Security for SMTP 4.0                             4.0.2
Symantec Mail Security for SMTP 4.1                     
Symantec Web Security 3.0                                       3.0.1.70
Symantec BrightMail AntiSpam 6.0                                All
Symantec BrightMail AntiSpam 4.0                        (Disable DEC2EXE per 
mitigation instructions)
Symantec BrightMail AntiSpam 5.5                        (Disable DEC2EXE per 
mitigation instructions)

Symantec AntiVirus Corporate Edition 9.0        STM build 9.0.0.338(module 
installed but not loaded into
memory)
Symantec AntiVirus Corporate Edition 9.0                build 9.0.1.1.1000
Symantec AntiVirus Corporate Edition 8.1.1                              build 
8.1.0.825a
Symantec AntiVirus Corporate Edition 8.1.1              build 8.1.1.366
Symantec AntiVirus Corporate Edition 8.0                                build 
8.01.9374
Symantec AntiVirus Corporate Edition 8.0                build 8.01.9378
Symantec AntiVirus Corporate Edition 8.0                build 8.01.425a/b
Symantec AntiVirus Corporate Edition 8.0                build 8.01.429c
Symantec AntiVirus Corporate Edition 8.0                build 8.01.501
Symantec Client Security 2.0    STM build 9.0.0.338(module installed but not 
loaded into memory)
Symantec Client Security 2.0.1                  MR1 build 9.0.1.1000
Symantec Client Security 2.0.2                  MR2 build 9.0.2.1000
Symantec Client Security 2.0.3                  MR3 build 9.0.3.1000

Symantec Client Security 1.1            Initial STM Release Build 8.1.0.825a
Symantec Client Security 1.1.1          MR6 build 8.1.1.266
Symantec Client Security 1.0                                    build 8.01.9374
Symantec Client Security 1.0.0                                  build 8.01.9378
Symantec Client Security 1.0.1                                  MR1 build 
8.01.425a/b
Symantec Client Security 1.0.1          MR2 build 8.01.429c
Symantec Client Security 1.0.1                                  MR9 build 
8.01.501
Symantec Norton AntiVirus 7.6           (does not install the vulnerable module)
Symantec Mail-Gear
Symantec I-Gear
Symantec AntiVirus for HandHelds - Corporate Edition  (does not install the 
DEC2EXE module)
Symantec Client Security for Nokia Communicator (does not install the DEC2EXE 
module)


Consumer Products
Symantec Norton Antivirus 2003 
Symantec Norton Internet Security 2003 (pro)
Symantec Norton System Works 2003  
Symantec Norton AntiVirus 2005
Symantec Norton Internet Security 2005
Symantec Norton System Works 2005 (Premier)
Symantec AntiVirus for Handhelds (does not install the DEC2EXE module)

Details
ISS X-Force notified Symantec of a vulnerability discovered in the DEC2EXE 
parsing engine module used in
earlier versions of the Symantec scan engine.  The vulnerable DEC2EXE engine 
contained a heap overflow 
that could be initiated by sending a specifically crafted UPX file that would 
be parsed by the vulnerable
DEC2EXE engine. If successfully exploited, the attack could potentially result 
in remote arbitrary code
execution and possible compromise of the targeted system.  

Symantec Response
Symantec confirmed the vulnerability ISS identified in the original DEC2EXE 
engine.  The DEC2EXE engineis no longer required to parse compressed files. 
Prior to ISS contacting Symantec with this vulnerability, Symantec had already 
removed the DEC2EXE engine from the scan engine upgrades implementedin the 
majority of Symantec products.  
Recommended Upgrades:

As a part of normal best practices, users should keep vendor-supplied patches 
for all application software and operating systems up-to-date.  Symantec 
strongly recommends customers, if they are not already running a current 
non-vulnerable product version/build, upgrade to their appropriate product 
update immediately to protect against these types of threats.
Symantec product engineers have developed and released updates or Maintenance 
Releases for all impacted product versions that were not already upgraded in 
the latest product build release.   Updates and Maintenance Releases are 
available either through Symantec's LiveUpdate for those products that have 
LiveUpdate capability or from the Symantec Product Support site at 
http://www.symantec.com/techsupp.

Symantec Gateway Security 5300/5400 Series:

Symantec has tested and posted hotfixes to address this issue for the affected 
Symantec Gateway Security 5300/5400 Series.  The hotfix removes the DEC2EXE 
engine from the affected products and upgrades the scan engine to a new 
version. Product specific hotfixes are available through the Symantec 
Enterprise Support site
http://www.symantec.com/techsupp.

Symantec strongly recommends customers, if they are not already running a 
current non-vulnerable product
version/build, upgrade to their appropriate product update immediately to 
protect against these types of 
threats. 

Mitigation

Symantec BrightMail AntiSpam versions 4.0 and 5.5

The DEC2EXE module can be easily and safely disabled through the brightmail.cfg 
file on Solaris, Linux and Windows platforms.  

For Solaris and Linux:

1. Locate brightmail.cfg  
   The default location for this file is /opt/mailwall

2. Edit brightmail.cfg in the following way:
   In the section labeled "Symantec 3 decomposer", remove the following line:
   blsymdec3Engine: libdec2exe.so|5

3. Restart BrightMail to reload the config file: 
                /etc/init.d/mailwall restart  


For Windows:

1. Close any open instance of the Brightmail Administration Console.
2. Locate brightmail.cfg 
   The default location for this file is c:\program files\brightmail\config

3. Edit brightmail.cfg in the following way:
   In the section labeled "Symantec 3 decomposer", remove the following line:
   blsymdec3Engine: dec2exe.dll|5

4. Restart the Brightmail AntiVirus Cleaner and the Brightmail Server services.

CVE
The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE 
Candidate CAN-2005-0249 to
this issue. 
This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which 
standardizes names for
security problems.  

Credit:
Symantec acknowledges the X-Force research team and X-Force's Alex Wheeler in 
identifying this issue and
coordinating with Symantec to resolve and release information about the issue.

Symantec takes the security and proper functionality of its products very 
seriously. As founding members
of the Organization for Internet Safety (OISafety), Symantec follows the 
principles of responsible
disclosure. Symantec also subscribes to the vulnerability guidelines outlined 
by the National
Infrastructure Advisory Council (NIAC). Please contact secure@xxxxxxxxxxxx if 
you feel you have discovered a potential or actual security issue with a 
Symantec product. A Symantec Product Security team member will contact you 
regarding your submission.
Symantec has developed a Product Vulnerability Handling Process document 
outlining the process we follow in addressing suspected vulnerabilities in our 
products. We support responsible disclosure of all vulnerability information in 
a timely manner to protect Symantec customers and the security of the Internet 
as a result of vulnerability. This document is available from the location 
provided below.
Symantec strongly recommends using encrypted email for reporting vulnerability 
information to 
secure@xxxxxxxxxxxxx The Symantec Product Security PGP key can be obtained from 
the http://www.symantec.com/security page

Copyright (c) 2005 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it 
is not edited in any way unless authorized by Symantec Security Response. 
Reprinting the whole or part of this alert in any medium other than 
electronically requires permission from secure@xxxxxxxxxxxxx
Disclaimer
The information in the advisory is believed to be accurate at the time of 
publishing based on currently 
available information. Use of the information constitutes acceptance for use in 
an AS IS condition. There are no warranties with regard to this information. 
Neither the author nor the publisher accepts any liability for any direct, 
indirect, or consequential loss or damage arising from use of, or reliance 
on,this information.
Symantec, Symantec products, Symantec Security Response, and SymSecurity are 
registered trademarks of 
Symantec Corp. and/or affiliated companies in the United States and other 
countries. All other registered
and unregistered trademarks represented in this document are the sole property 
of their respective
companies/owners.