In association with heise online

13 July 2007, 08:08

Multiple vulnerabilities in Symantec products

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Vulnerabilities in Symantec products for end users and enterprises allow users to escalate their privileges or nefarious individuals to carry out remote denial of service attacks. In one case injected malicious code may also be executed. The bugs affect Symantec's Antivirus, Client Security and Backup Exec products as well as the company's Norton product range.

A buffer overflow can occur in Backup Exec for Windows Servers 10.0, 10d and 11d if data from a request to the RPC server on port 6106 is copied to a fixed size buffer. According to iDefense, this does not require the attacker to be logged in. An attack can crash the service or may even permit malicious code to be injected.

If the RTVScan background monitoring application in Symantec's Antivirus Corporate Edition 9.0, 10.0, 10.1 and Client Security 2.0, 3.0 and 3.1 is configured to display a message about any malware found, users with restricted user accounts can exploit this to escalate their privileges. The e-mail scanner in Symantec Antivirus Corporate Edition 9.x and 10.0 and in Client Security 2.0 and 3.0 can crash if the recipient, sender or subject field of an e-mail to be scanned contains more than 951 characters. The result is that the software no longer checks incoming and outgoing e-mails.

Norton AntiSpam 2005, Antivirus, Internet Security, Personal Firewall and System Works 2005 and 2006, Symantec Antivirus Corporate Edition 9.x, 10.0 and 10.1 and Client Security 2.0, 3.0 and 3.1 all include the symtdi.sys kernel driver. This does not properly check data passed by the user in interrupt request packets (IRP). This flaw can be exploited by local users to escalate their privileges to the SYSTEM level.

A further security advisory reveals security vulnerabilities when processing RAR and CAB archives. Manipulated RAR files can provoke a denial of service condition by sending the unpack routine into an endless loop. Failure to check the length correctly when unpacking CAB archives can even lead to execution of external code. This security vulnerability affects nearly all Symantec enterprise and end user products - a full list is given in the security advisory.

Symantec provides links in its security advisories to patches which fix the vulnerabilities. Whereas enterprise customers will have to download and install the patches themselves from, end users of Norton products will receive them via Live Update.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit