Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Security App Flaws :: bt-21920.htm

Symantec ConsoleUtilities ActiveX Control Buffer Overflow



NSOADV-2009-001: Symantec ConsoleUtilities ActiveX Control Buffer Overflow
NSOADV-2009-001: Symantec ConsoleUtilities ActiveX Control Buffer Overflow



_________________________________________
Security Advisory NSOADV-2009-001
_________________________________________
_________________________________________


  Title:                  Symantec ConsoleUtilities ActiveX Control
                          Buffer Overflow
  Severity:               Critical
  Advisory ID:            NSOADV-2009-001
  Found Date:             09.09.2009
  Date Reported:          15.09.2009
  Release Date:           02.11.2009
  Author:                 Nikolas Sotiriu
  Mail:                   nso-research at sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2009-001.txt 
Vendor: Symantec (http://www.symantec.com/) 
  Affected Products:      Symantec Altiris Notification Server 6.x
                          Symantec Management Platform 7.0.x
                          Symantec Altiris Deployment Solution 6.9.x
  Affected Component:     ConsoleUtilities ActiveX Control V.6.0.0.1846
  Not Affected Component: ConsoleUtilities ActiveX Control V.6.0.0.2000
  Remote Exploitable:     Yes
  Local Exploitable:      No
  CVE-ID:                 CVE-2009-3031
  Patch Status:           Vendor released an patch
  Discovered by:          Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html 
  Thanks to:              Thierry Zoller: For the permission to use his
                                          Policy



Background:
==========
Altiris service-oriented management solutions provide a modular and
future-proof approach to managing highly diverse and widely distributed
IT infrastructures. They are open solutions that enable lifecycle
integration of client, handheld, server, network and other IT assets
with audit-ready security and automated operation.

(Product description from Symantec Website)



Description:
===========
During the first access of the Management Website an ActiveX Control
will be installed (AeXNSConsoleUtilities.dll), in which the function
"BrowseAndSaveFile" is vulnerable to a stack based buffer overflow.

Name:             ConsoleUtilities Class
Vendor:           Altiris, Inc.
Type:             ActiveX-Steuerelement
Version:          6.0.0.1846
GUID:             {B44D252D-98FC-4D5C-948C-BE868392A004}
File:             AeXNSConsoleUtilities.dll
Folder:           C:\WINDOWS\system32



Proof of Concept :
=================

NSOADV-2009-001




Symantec ConsoleUtilities ActiveX Control Buffer overflow PoC

Use it only for education or ethical pentesting! The author accepts no liability for damage caused by this tool.
Nikolas Sotiriu (lofi) (http://www.sotiriu.de/adv/NSOADV-2009-001.txt), 02.11.2009

Some RET Infos:

Overwrite EIP with AAAA (crash)
EIP=String(2, unescape("%u4141"))

XP SP2 Ger shell32.dll JMP ESP
EIP=unescape("%uaf0a%u77d5")

XP SP3 Ger shell32.dll JMP ESP
EIP=unescape("%u30D7%u7E68")

----------------------------------------------------------------
DoS
Windows XP SP2 German
Windows XP SP3 German
src="http://sotiriu.de/images/logo_wh_80.png"> Solution: ======== Symantec Security Advisory: http://tinyurl.com/y9fakve Hotfix (KB49568): Deployment Solution 6.9 SP3 https://kb.altiris.com/display/1n/articleDirect/index.asp?aid=49568 Hotfix (KB49389): Notification Server 6.x Symantec Management Platform 7.x https://kb.altiris.com/display/1n/articleDirect/index.asp?aid=49389 Disclosure Timeline (YYYY/MM/DD): ================================ 2009.09.09: Vulnerability found 2009.09.15: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2009.10.01) to Vendor 2009.09.15: Vendor response asking for resending the poc in a zipped and password protected file (AV problem) 2009.09.15: Resending zipped and password protected 2009.09.17: Symantec Security Response Team verifies the vulnerability 2009.09.22: Symantec product team verifies the finding 2009.09.29: Ask for a status update, because the planned release date is 2009.10.01. 2009.09.29: Symantec Security Response Team tries to get a time line from the product team. 2009.09.30: Changed release date to 2009.10.08 until a time line is known 2009.10.07: Ask for a status update, because the planned release date is 2009.10.08. 2009.10.07: Symantec Security Response Team informs me if all goes well they need one more week. 2009.10.07: Changed release date to 2009.10.15. 2009.10.14: Ask for a status update, because the planned release date is 2009.10.15. 2009.10.14: Symantec Security Response Team informs me that they have an issue with an update and they need one more week. 2009.10.14: Changed release date to 2009.10.22. 2009.10.21: Ask for a status update, because the planned release date is 2009.10.22. 2009.10.21: Symantec Security Response Team informs me that they have an issue with an update. 2009.10.21: Changed release date to 2009.10.29. 2009.10.28: Ask for a status update, because the planned release date is 2009.10.29. 2009.10.29: Symantec Security Response Team informs me that the patch will be released on 2009.11.02 at 9am PST. 2009.11.02: Symantec Security Response Team informs me that the patch and the Advisory is released. 2009.11.02: Release of this Advisory


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH