Symantec Antivirus Library Remote Heap Overflows
Date
December 20, 2005
Vulnerability
The Symantec Antivirus Library provides file format support for virus analysis.
During decompression of RAR files Symantec is vulnerable to multiple heap
overflows allowing attackers complete control of the system(s) being protected.
These vulnerabilities can be exploited remotely without user interaction in
default configurations through common protocols such as SMTP.
Impact
Successful exploitation of Symantec protected systems allows attackers
unauthorized control of data and related privileges. It also provides leverage
for further network compromise. Symantec implementations are likely vulnerable
in their default configuration. In default configurations users are likely
vulnerable regardless of whether they choose to open or read the email.
Affected Products
Due to the library’s modular design and core functionality; it is likely this
vulnerability affects a substantial portion of Symantec’s gateway, server, &
client antivirus-enabled product lines on most platforms. In fact, the scope of
this vulnerability is likely similar to the one described in the following link
and also includes more current versions.
http://xforce.iss.net/xforce/alerts/id/187
Further, this library is also licensed to a substantial number of venders with
products/services that are likely affected. A small sample of these vendors can
be found in the following link.
http://www.symantec.com/partners/index.html
Recommendation
Disable scanning of RAR compressed files until the vulnerable code is fixed.
Credit
This vulnerability was discovered and researched by Alex Wheeler.
Contact
security@xxxxxxxxxx