CVE-2005-2758
CVSS10.0
发布时间 :2005-10-05 15:02:00
修订时间 :2011-03-07 21:24:59
NMCOPS    

[原文]Integer signedness error in the administrative interface for Symantec AntiVirus Scan Engine 4.0 and 4.3 allows remote attackers to execute arbitrary code via crafted HTTP headers with negative values, which lead to a heap-based buffer overflow.


[CNNVD]Symantec病毒扫描引擎Web服务溢出漏洞(CNNVD-200510-030)

        Symantec扫描引擎是一个TCP/IP服务器和编程接口,允许第三方获得Symantec内容扫描技术支持。
        Symantec病毒扫描引擎中存在缓冲区溢出漏洞,起因是没有对HTTP首部执行充分的输入验证。远程攻击者可以在8004端口上向管理扫描引擎WEB服务发送特制的HTTP请求,导致服务崩溃或执行任意代码。由于没有正确的使用有符号的整数值类型,因此可以通过连接客户端提供负数值,而该值会被解释为很大的数值,然后用作内存拷贝中的参数。过长的数值拷贝操作会导致堆溢出,允许攻击者以系统权限执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:symantec:antivirus_scan_engine:4.3Symantec AntiVirus Scan Engine 4.3
cpe:/a:symantec:antivirus_scan_engine:4.0::netapp_filer
cpe:/a:symantec:antivirus_scan_engine:4.3::caching
cpe:/a:symantec:antivirus_scan_engine:4.0::netapp_netcache
cpe:/a:symantec:antivirus_scan_engine:4.0::bluecoat
cpe:/a:symantec:antivirus_scan_engine:4.0Symantec AntiVirus Scan Engine 4.0
cpe:/a:symantec:antivirus_scan_engine_for_network_attached_storage:4.3
cpe:/a:symantec:antivirus_scan_engine:4.0::clearswift
cpe:/a:symantec:antivirus_scan_engine:4.3::clearswift
cpe:/a:symantec:antivirus_scan_engine:4.3::microsoft_sharepoint

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2758
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2758
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200510-030
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/849209
(UNKNOWN)  CERT-VN  VU#849209
http://www.symantec.com/avcenter/security/Content/2005.10.04.html
(VENDOR_ADVISORY)  CONFIRM  http://www.symantec.com/avcenter/security/Content/2005.10.04.html
http://www.idefense.com/application/poi/display?id=314&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20051004 Symantec AntiVirus Scan Engine Web Service Buffer Overflow Vulnerability
http://xforce.iss.net/xforce/xfdb/22519
(UNKNOWN)  XF  symantec-scanengine-admin-bo(22519)
http://www.vupen.com/english/advisories/2005/1954
(UNKNOWN)  VUPEN  ADV-2005-1954
http://www.securityfocus.com/bid/15001
(UNKNOWN)  BID  15001
http://www.osvdb.org/19854
(UNKNOWN)  OSVDB  19854
http://securitytracker.com/id?1015001
(UNKNOWN)  SECTRACK  1015001
http://secunia.com/advisories/17049
(UNKNOWN)  SECUNIA  17049
http://securityreason.com/securityalert/48
(UNKNOWN)  SREASON  48

- 漏洞信息

Symantec病毒扫描引擎Web服务溢出漏洞
危急 缓冲区溢出
2005-10-05 00:00:00 2006-08-16 00:00:00
远程  
        Symantec扫描引擎是一个TCP/IP服务器和编程接口,允许第三方获得Symantec内容扫描技术支持。
        Symantec病毒扫描引擎中存在缓冲区溢出漏洞,起因是没有对HTTP首部执行充分的输入验证。远程攻击者可以在8004端口上向管理扫描引擎WEB服务发送特制的HTTP请求,导致服务崩溃或执行任意代码。由于没有正确的使用有符号的整数值类型,因此可以通过连接客户端提供负数值,而该值会被解释为很大的数值,然后用作内存拷贝中的参数。过长的数值拷贝操作会导致堆溢出,允许攻击者以系统权限执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.symantec.com/avcenter/security/Content/2005.10.04.html

- 漏洞信息 (F40454)

iDEFENSE Security Advisory 2005-10-04.2 (PacketStormID:F40454)
2005-10-06 00:00:00
iDefense Labs,infamous41md  idefense.com
advisory,remote,overflow,arbitrary
CVE-2005-2758
[点击下载]

iDEFENSE Security Advisory 10.04.05-2 - Remote exploitation of a buffer overflow vulnerability in Symantec AntiVirus Scan Engine can allow remote attackers to execute arbitrary code. iDEFENSE Labs has confirmed the existence of this vulnerability in Symantec AntiVirus Scan Engine 4.0. The vendor has confirmed that the vulnerability also effects products utilizing Symantec AntiVirus Scan Engine 4.3, however Scan Engine 4.1 is not affected.

Symantec AntiVirus Scan Engine Web Service Buffer Overflow Vulnerability

iDEFENSE Security Advisory 10.04.05
www.idefense.com/application/poi/display?id=314&type=vulnerabilities
October 4, 2005

I. BACKGROUND

Symantec Scan Engine is a TCP/IP server and programming interface that 
enables third parties to incorporate support for Symantec content 
scanning technologies into their proprietary applications. More 
information is available from the vendor website: 

http://enterprisesecurity.symantec.com/products/products.cfm?productid=1
73

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Symantec 
AntiVirus Scan Engine can allow remote attackers to execute arbitrary 
code. 

The vulnerability specifically exists due to insufficient input 
validation of HTTP Headers. A remote attacker can send a specially 
crafted HTTP request to the administrative Scan Engine Web Wervice on 
port 8004 to crash the service or execute arbitrary code. Due to 
improper use of signed integer value types, a negative value can be 
supplied by a connecting client, which will interpret the value as a 
very large number and later use the value as an argument to a memory 
copy operation. An overly long copy will occur resulting in a heap 
overflow. Remote attackers can supply carefully crafted HTTP requests 
to trigger the heap overflow and execute arbitrary code.

III. ANALYSIS

Successful exploitation of the vulnerability can result in remote code 
execution with SYSTEM privileges. Exploitation of the vulnerability 
does not require credentials or any other element in the attack other 
than being able to send a HTTP request to TCP port 8001 on the 
vulnerable server. It is recommended to apply the vendor-supplied 
workaround or upgrade to the latest available version of the software. 

IV. DETECTION

iDEFENSE Labs has confirmed the existence of this vulnerability in 
Symantec AntiVirus Scan Engine 4.0. The vendor has confirmed that the 
vulnerability also effects products utilizing Symantec AntiVirus Scan 
Engine 4.3, however Scan Engine 4.1 is not affected.

V. WORKAROUND

The vendor has supplied the following workaround solution:

"Default installation instructions state that, for security reasons, 
customers should access the administrative interface using a switch or 
via a secure segment of the network. The Symantec AntiVirus Scan Engine 
Administration default port, 8004/tcp, should be locked down for 
trusted internal access only. This port can be changed, as it might 
conflict with existing applications in the environment. But whatever 
port is used for the user-interface, it should never be visible 
external to the network which greatly reduces opportunities for 
unauthorized access. A customer may choose to completely disable the 
Symantec AntiVirus Scan Engine's user-interface once it has been 
satisfactorily configured.

* To disable the user interface, set the port to "0" in the user-
  interface and restart the Symantec AntiVirus Scan Engine. 

* To re-enable the user-interface, edit the Symantec AntiVirus Scan 
  Engine configuration file, set the port back to 8004/tcp, or the 
  applicable user-configured port, and restart the Symantec AntiVirus 
  Scan Engine."

VI. VENDOR RESPONSE

"Symantec Engineers have verified this issue and made security updates
available for the Symantec AntiVirus Scan Engine. Symantec strongly
recommends all customers immediately apply the latest updates for their
supported product versions to protect against these types of threats.
Symantec is unaware of any adverse customer impact from this issue."

A vendor advisory for this issue is available at:

  http://www.symantec.com/avcenter/security/Content/2005.10.04.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-2758 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/31/2005  Initial vendor notification
08/31/2005  Initial vendor response
10/04/2005  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

infamous41md[at]hotpop.com is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

19854
Symantec AntiVirus Scan Engine Administrative Interface HTTP Header Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown Vendor Verified

- 漏洞描述

A remote overflow exists in Symantec AntiVirus Scan Engine. The administrative Scan Engine Web service fails to perform proper bounds checking resulting in a heap-based buffer overflow. With a specially crafted HTTP header containing a negative value, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-10-04 2005-08-31
Unknow 2005-10-04

- 解决方案

Upgrade to version 4.3.12 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Symantec AntiVirus Scan Engine Web Service Administrative Interface Buffer Overflow Vulnerability
Boundary Condition Error 15001
Yes No
2005-10-03 12:00:00 2009-07-12 05:06:00
Discovery is credited to infamous41md.

- 受影响的程序版本

Symantec AntiVirus Scan Engine for Network Attached Storage 4.3
Symantec AntiVirus Scan Engine for Netapp NetCache 4.0
Symantec AntiVirus Scan Engine for Netapp Filer 4.0
Symantec AntiVirus Scan Engine for Microsoft SharePoint 4.3
Symantec AntiVirus Scan Engine for Microsoft Portal 4.3
Symantec AntiVirus Scan Engine for Messaging 4.3
Symantec AntiVirus Scan Engine for ISA 4.3
Symantec AntiVirus Scan Engine for ISA 4.0
Symantec AntiVirus Scan Engine for Clearswift 4.3
Symantec AntiVirus Scan Engine for Clearswift 4.0
Symantec AntiVirus Scan Engine for Caching 4.3
Symantec AntiVirus Scan Engine for Bluecoat 4.0
Symantec AntiVirus Scan Engine 4.3
Symantec AntiVirus Scan Engine 4.0
Symantec AntiVirus Scan Engine for Network Attached Storage 4.3.12
Symantec AntiVirus Scan Engine for Netapp NetCache 4.3.12
Symantec AntiVirus Scan Engine for Netapp Filer 4.3.12
Symantec AntiVirus Scan Engine for Microsoft SharePoint 4.3.12
Symantec AntiVirus Scan Engine for Messaging 4.3.12
Symantec AntiVirus Scan Engine for ISA 4.3.12
Symantec AntiVirus Scan Engine for Clearswift 4.3.12
Symantec AntiVirus Scan Engine for Caching 4.3.12
Symantec AntiVirus Scan Engine for Bluecoat 4.3.12
Symantec AntiVirus Scan Engine 4.3.12
Symantec AntiVirus Scan Engine 4.1

- 不受影响的程序版本

Symantec AntiVirus Scan Engine for Network Attached Storage 4.3.12
Symantec AntiVirus Scan Engine for Netapp NetCache 4.3.12
Symantec AntiVirus Scan Engine for Netapp Filer 4.3.12
Symantec AntiVirus Scan Engine for Microsoft SharePoint 4.3.12
Symantec AntiVirus Scan Engine for Messaging 4.3.12
Symantec AntiVirus Scan Engine for ISA 4.3.12
Symantec AntiVirus Scan Engine for Clearswift 4.3.12
Symantec AntiVirus Scan Engine for Caching 4.3.12
Symantec AntiVirus Scan Engine for Bluecoat 4.3.12
Symantec AntiVirus Scan Engine 4.3.12
Symantec AntiVirus Scan Engine 4.1

- 漏洞讨论

A buffer overflow vulnerability exists in the Web-based administrative interface of the Symantec Antivirus Scan Engine. This issue is due to improper bound checking of user-supplied data prior to copying it into an insufficiently sized memory buffer.

This vulnerability allows attackers to execute arbitrary machine code in the context of the affected application. This allows remote attackers to gain privileged remote access to computers running the affected application.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Symantec has released advisory SYM05-017, along with fixes to address this issue. Please see the referenced advisory for further information.

Fixes may be obtained through the Platinum Support Web Site for Platinum customers or through the FileConnect Electronic Software Distribution Web site for all licensed users.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站