Symantec Remote Management Stack Buffer Overflow
June 12, 2006
May 24, 2006
High (Remote Code Execution)
Symantec AntiVirus 10.0.x for Windows (all versions)
Symantec AntiVirus 10.1.x for Windows (all versions)
Symantec Client Security 3.0.x for Windows (all versions)
Symantec Client Security 3.1.x for Windows (all versions)
Systems Not Affected:
Symantec AntiVirus 10.x.x for Macintosh
Symantec AntiVirus 10.x.x for Linux
Symantec AntiVirus 10.x.x for Wireless
eEye Digital Security has discovered a vulnerability in the remote
management interface for Symantec AntiVirus 10.x and Symantec Client
Security 3.x, which could be exploited by an anonymous attacker in order
to execute arbitrary code with SYSTEM privileges on an affected system.
The management interface is typically enabled in enterprise settings and
listens on TCP port 2967 by default, for both server and client systems.
Although remote management traffic is typically SSL-encrypted, managed
systems will accept and process clear-text requests of the vulnerable
The remote management protocol communicated by the affected products is
a proprietary message-based protocol with two levels of encapsulation.
The outer layer comprises a message header indicating one of three
message types: 10, which designates a request to Rtvscan.exe, or 20 or
30, which mediate SSL negotiation. If SSL is established for a TCP
connection, subsequent traffic is encrypted although the plaintext is
still in the proprietary format.
The data of type-10 messages contains its own header and body which are
processed by Rtvscan.exe. This header features a command field which
specifies the operation to perform and dictates the format of the body
The COM_FORWARD_LOG (0x24) command handler contains an improper use of
strncat that allows a 0x180-byte stack buffer to be overflowed with
arbitrary data. If the first string in the COM_FORWARD_LOG request body
contains a backslash, then one of the following two strncat calls will
* If the string contains a comma but no double-quote:
strncat(dest, src, 0x17A - strlen(src));
strncat(dest, src, 0x17C - strlen(src));
If the length of the source string exceeds 0x17A or 0x17C characters
respectively, the arithmetic will underflow and result in a very large
copy size (since the copy size argument is of type size_t, which is
unsigned). This causes the entire source string to be appended to the
buffer, allowing the stack to be overwritten with up to 64KB of data in
which only null characters are prohibited.
Rtvscan.exe was compiled with the Visual Studio /GS security option
which institutes stack canary checks, but this security measure can be
bypassed by causing a very large overwrite and taking control of an
exception handler registration.
As a basic workaround against automated exploitation, the management
interface TCP port may be changed via the
AgentIPPort" registry value in order to accomplish a very slight amount
of obfuscation. Remote management should continue to function even if
the new port numbers are not homogeneous across an enterprise.
Retina Network Security Scanner has been updated to identify this
Blink - Endpoint Vulnerability Prevention - preemptively protects from
Symantec has released patches for the affected products. For more
information, please consult Symantec security advisory SYM06-010:
Note that the installation of one or more previous patches may be
required before the SYM06-010 patch can be applied.
This issue has been assigned CVE-2006-2630.
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Symantec engineers, for very quickly producing a solid patch. Family
and friends. Anti-greets to copperhead snakes.
Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information. In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the
user's own risk.