A Memory Access Violation in Symantec Antivirus Engine could crash your windows system

Symantec’s Anti-Virus Engine was susceptible to memory access violation due to a kernel-level flaw when parsing a specifically-crafted PE header file.

The most common symptom of a successful attack would result in an immediate system crash, aka. Blue Screen of Death (BSOD).

From Symantec.com:

Symantec was notified of a critical issue in the AVE scan engine when parsing incoming malformed portable-executable (PE) header files. Such malformed PE files can be received through incoming email, downloading of a document or application, or by visiting a malicious web site. No user interaction is required to trigger the parsing of the malformed file.

Sufficiently malformed, the code executed at the kernel-level with system/root privileges causing a memory access violation. The most common symptom of successful exploitation resulted in an immediate system crash.

A proof-of-concept was released by Project Zero:

This is a remote code execution vulnerability. Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it.

On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability - this is about as bad as it can possibly get.

The obvious way to exploit this flaw is either via email or a web browser. The attached testcase contains the source code to build a PoC, which should BugCheck (i.e. BSOD) a system with Norton Antivirus installed, or crash Symantec Enterprise Endpoint service.

The file testcase.txt is a prebuilt binary (note that file extension is irrelevant here). Just clicking download should be enough to trigger a kernel panic on a vulnerable system (!!!).



This site uses Akismet to reduce spam. Learn how your comment data is processed.