Full Disclosure mailing list archives
Re: (Updated) Symantec ActiveX control buffer overflow
From: Cesar <cesarc56 () yahoo com>
Date: Mon, 23 Jun 2003 16:41:56 -0700 (PDT)
The ActiveX control can have two different names : "Symantec RuFSI Utility Class" or "Symantec RuFSI Registry Information Class" (both names refer to the same ActiveX control)the name depends if you have running first the virus scan or security scan. Thanks to DANIEL HANNIGAN for let me know this. BTW: It looks that Symantec haven't update or remove the buggy ActiveX yet, please Symantec be serious start protecting users! Symantec is a security company? Below comple advisory updated. Security Advisory Name: Symantec ActiveX control buffer overflow. Systems Affected : Symantec Security Check service. Severity : High Remote exploitable : Yes Author: Cesar Cerrudo. Date: 06/23/03 Advisory Number: CC060304 Overview: Symantec has a free online service for virus and security scan called Symantec Security Check. To access this service a user must go to http://www.symantec.com/securitycheck/ and then select what kind of scan want to run. In order to run scans ActiveX controls are installed in user's computer. Details: One of the installed ActiveX controls is called "Symantec RuFSI Utility Class" or "Symantec RuFSI Registry Information Class" (both names refer to the same ActiveX control) the name depends if you have running first the virus scan or security scan, and it has this description: "Norton Internet Security Registry and File Information", there isn't documentation on what it does but it looks like it's used to colect user's computer information in order to perform the scans. If a long string is passed in any of the parameters of CompareVersionStrings method a stack based overflow occurs when the method is executed. To reproduce the overflow just cut-and-paste the following: <object classid="clsid:69DEAF94-AF66-11D3-BEC0-00105AA9B6AE" id="test"> </object> <script> test.CompareVersionStrings("long string here","or long string here") </script> This ActiveX control is marked as safe, so the above sample will run without being blocked in default Internet Explorer security configuration. This vulnerability can be exploited to run arbitrary code. Workaround: Go to %SystemRoot%\Downloaded Program Files\ and remove "Symantec RuFSI Utility Class" or "Symantec RuFSI Registry Information Class" and if you are extra paranoid remove all Symantec ActiveX controls. Also don't use again Symantec free online scan service until Symantec fix it!!! Vendor Status : I really sorry Symantec i forgot about the 30-day grace period (see "Security Vulnerability Reporting and Response Process", http://www.oisafety.org/process.html), also i forgot to report it :) This is really funny Symantec try to protect users and they intruduce dangerous ActiveX controls in users computers. I think that maybe this control should be inroduced in Norton virus list :). I wonder if this advisory will be on Security Focus news or vulnerability database. Important note: I recomend antivirus companies with online virus scan service to check your ActiveX controls if you are really interested in protect users, especially Trend Micro fix those HouseCall ActiveX multiple overflows!!!. NEW SECURITY LIST!!!: For people interested in SQL Server security, vulnerabilities, SQL injection, etc. Join at: sqlserversecurity-subscribe () yahoogroups com http://groups.yahoo.com/group/sqlserversecurity/ __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Symantec ActiveX control buffer overflow Cesar (Jun 22)
- Re: (Updated) Symantec ActiveX control buffer overflow Cesar (Jun 23)
- Re: Symantec ActiveX control buffer overflow Georgi Guninski (Jun 24)
- Re: Symantec ActiveX control buffer overflow Cesar (Jun 24)