lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030623234156.66453.qmail@web40017.mail.yahoo.com>
From: cesarc56 at yahoo.com (Cesar)
Subject: (Updated) Symantec ActiveX control buffer overflow

The ActiveX control can have two different names : 
"Symantec RuFSI Utility Class" or "Symantec RuFSI
Registry Information Class" (both names refer to the
same ActiveX control)the name depends if you have
running first the virus scan or security scan.

Thanks to DANIEL HANNIGAN for let me know this.

BTW: It looks that Symantec haven't update or remove
the buggy ActiveX yet, please Symantec be serious
start protecting users! Symantec is a security
company?

Below comple advisory updated.

Security Advisory

Name:  Symantec ActiveX control buffer overflow.
Systems Affected : Symantec Security Check service.
Severity :  High 
Remote exploitable : Yes
Author:    Cesar Cerrudo.
Date:    06/23/03
Advisory Number:    CC060304


Overview:

Symantec has a free online service for virus and
security scan called Symantec Security Check. 
To access this service a user must go to
http://www.symantec.com/securitycheck/ and then select
what kind of scan want to run. In order to run scans
ActiveX controls are installed in user's computer.


Details:

One of the installed ActiveX controls is called
"Symantec RuFSI Utility Class" or "Symantec RuFSI
Registry Information Class" (both names refer to the
same ActiveX control) the name depends if you have
running first the virus scan or security scan, and it
has this description: "Norton Internet Security
Registry and File Information", there isn't
documentation on what it does but it looks like it's
used to colect user's computer information in order to
perform the scans. If a long string is passed in any
of the parameters of CompareVersionStrings method a
stack based overflow occurs when the method is
executed.

To reproduce the overflow just cut-and-paste the
following:

<object
  
classid="clsid:69DEAF94-AF66-11D3-BEC0-00105AA9B6AE"
   id="test">
</object>

<script>
test.CompareVersionStrings("long string here","or long
string here")
</script>


This ActiveX control is marked as safe, so the above
sample will run without being blocked in default 
Internet Explorer security configuration.
This vulnerability can be exploited to run arbitrary
code. 


Workaround:

Go to %SystemRoot%\Downloaded Program Files\ and
remove "Symantec RuFSI Utility Class" or "Symantec
RuFSI Registry Information Class" and if you are
extra paranoid remove all Symantec ActiveX controls.
Also don't use again Symantec free online scan service
until Symantec fix it!!!


Vendor Status :

I really sorry Symantec i forgot about the 30-day
grace period (see  "Security Vulnerability Reporting 
and Response Process",
http://www.oisafety.org/process.html), also i forgot
to report it :)
This is really funny Symantec try to protect users and
they intruduce dangerous ActiveX controls in users
computers. I think that maybe this control should be
inroduced in Norton virus list :). I wonder if this
advisory will be on Security Focus news or
vulnerability database.


Important note:

I recomend antivirus companies with online virus scan
service to check your ActiveX controls if you are
really interested in protect users, especially Trend
Micro fix those HouseCall ActiveX multiple
overflows!!!.


 
NEW SECURITY LIST!!!: For people interested in SQL
Server security, vulnerabilities, SQL injection, etc.
Join at:
sqlserversecurity-subscribe@...oogroups.com
http://groups.yahoo.com/group/sqlserversecurity/




__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ