CVE-2006-3454
CVSS7.2
发布时间 :2006-09-13 20:07:00
修订时间 :2011-03-07 21:38:40
NMCOPS    

[原文]Multiple format string vulnerabilities in Symantec AntiVirus Corporate Edition 8.1 up to 10.0, and Client Security 1.x up to 3.0, allow local users to execute arbitrary code via format strings in (1) Tamper Protection and (2) Virus Alert Notification messages.


[CNNVD]Symantec AntiVirus 格式串处理漏洞(CNNVD-200609-205)

        Symantec AntiVirus是非常流行的杀毒解决方案。
        Symantec AntiVirus企业版允许在发现病毒或触发了Tamper Protection功能的时候自定义所显示的警告通知消息。警告通知进程没有正确的验证用户生成的输入,本地攻击者用可能访问进程栈的特制格式串替换Tamper Protection和Virus Alert Notification消息。成功攻击允许攻击者以提升的权限执行攻击者所选择的代码。
        此外,警告通知进程中还存在另一个格式串漏洞,本地用户使用格式串替换警告通知消息,如果检测到了恶意文件后显示通知消息时,就会导致实时病毒扫描服务崩溃。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:symantec:norton_antivirus:10.0::corporate
cpe:/a:symantec:client_security:2.0
cpe:/a:symantec:client_security:2.0.2Symantec Client Security 2.0.2
cpe:/a:symantec:client_security:1.0Symantec Symantec Client Security 1.0
cpe:/a:symantec:client_security:2.0.4Symantec Client Security 2.0.4
cpe:/a:symantec:norton_antivirus:8.1::corporate
cpe:/a:symantec:client_security:2.0.3Symantec Client Security 2.0.3
cpe:/a:symantec:norton_antivirus:9.0.2::corporate
cpe:/a:symantec:norton_antivirus:9.0::corporate
cpe:/a:symantec:norton_antivirus:9.0.1::corporate
cpe:/a:symantec:client_security:1.0.1Symantec Symantec Client Security 1.0.1
cpe:/a:symantec:client_security:2.0.1Symantec Client Security 2.0.1
cpe:/a:symantec:client_security:1.1.1Symantec Symantec Client Security 1.1.1
cpe:/a:symantec:client_security:1.1
cpe:/a:symantec:client_security:3.0Symantec Client Security 3.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3454
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3454
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200609-205
(官方数据源) CNNVD

- 其它链接及资源

http://securityresponse.symantec.com/avcenter/security/Content/2006.09.13.html
(VENDOR_ADVISORY)  CONFIRM  http://securityresponse.symantec.com/avcenter/security/Content/2006.09.13.html
http://www.vupen.com/english/advisories/2006/3599
(UNKNOWN)  VUPEN  ADV-2006-3599
http://xforce.iss.net/xforce/xfdb/28936
(UNKNOWN)  XF  symantecantivirus-messages-code-execution(28936)
http://www.securityfocus.com/bid/19986
(UNKNOWN)  BID  19986
http://www.securityfocus.com/archive/1/archive/1/446293/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060918 Symantec Security Advisory: Symantec AntiVirus Corporate Edition
http://www.securityfocus.com/archive/1/archive/1/446041/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060914 Layered Defense Advisory :Symantec AntiVirus Corporate Edition Format String Vulnerability
http://securitytracker.com/id?1016842
(UNKNOWN)  SECTRACK  1016842
http://secunia.com/advisories/21884
(UNKNOWN)  SECUNIA  21884
http://layereddefense.com/SAV13SEPT.html
(UNKNOWN)  MISC  http://layereddefense.com/SAV13SEPT.html

- 漏洞信息

Symantec AntiVirus 格式串处理漏洞
高危 格式化字符串
2006-09-13 00:00:00 2006-09-18 00:00:00
本地  
        Symantec AntiVirus是非常流行的杀毒解决方案。
        Symantec AntiVirus企业版允许在发现病毒或触发了Tamper Protection功能的时候自定义所显示的警告通知消息。警告通知进程没有正确的验证用户生成的输入,本地攻击者用可能访问进程栈的特制格式串替换Tamper Protection和Virus Alert Notification消息。成功攻击允许攻击者以提升的权限执行攻击者所选择的代码。
        此外,警告通知进程中还存在另一个格式串漏洞,本地用户使用格式串替换警告通知消息,如果检测到了恶意文件后显示通知消息时,就会导致实时病毒扫描服务崩溃。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        https://fileconnect.symantec.com/licenselogin.jsp

- 漏洞信息 (F50093)

lda-13.txt (PacketStormID:F50093)
2006-09-16 00:00:00
Deral Heiland  LayeredDefense.com
advisory,virus
CVE-2006-3454
[点击下载]

A format string vulnerability was discovered within Symantec AntiVirus Corporate Edition versions 10.0, 9.0, and 8.1. The vulnerability is due to improper processing of format strings within the Tamper Protection and Virus Alert Notification message fields.

==================================================
    Layered Defense Advisory 13 September 2006
==================================================
1) Affected Software 
Symantec AntiVirus Corporate Edition 10.0
Symantec AntiVirus Corporate Edition  9.0
Symantec AntiVirus Corporate Edition  8.1 ==================================================
2) Severity 
Rating: Medium risk
Impact: Execution of arbitrary code, rights escalation and at a minimum, denial of service.
==================================================
3) Description of Vulnerability 
A format string vulnerability was discovered within Symantec AntiVirus Corporate Edition. The vulnerability is due to improper processing of format strings within Tamper Protection and Virus Alert Notification message fields. A local user could replace the Tamper Protection and Virus Alert Notification messages with a specially crafted format string which could allow access to the process stack. If successfully exploited, this could allow the user to execute code of the attacker    

- 漏洞信息

28825
Symantec Multiple Products Tamper Protection Format String
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-09-13 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Symantec AntiVirus Corporate Edition Multiple Local Format String Vulnerabilities
Input Validation Error 19986
No Yes
2006-09-13 12:00:00 2006-09-14 10:07:00
Deral Heiland of Layered Defense discovered the first issue. Symantec engineers found the second format-string issue.

- 受影响的程序版本

Symantec Client Security 3.0.2 .2011
Symantec Client Security 3.0.2 .2010
Symantec Client Security 3.0.2 .2002
Symantec Client Security 3.0.2 .2001
Symantec Client Security 3.0.2 .2000
Symantec Client Security 3.0
Symantec Client Security 2.0.3 MR3 b9.0.3.1000
Symantec Client Security 2.0.2 MR2 b9.0.2.1000
Symantec Client Security 2.0.1 MR1 b9.0.1.1000
Symantec Client Security 2.0 STM build 9.0.0.338
Symantec Client Security 2.0 (SCF 7.1)
Symantec Client Security 2.0 (SCF 7.1)
Symantec Client Security 2.0
Symantec Client Security 1.1.1 MR5 build 8.1.1.336
Symantec Client Security 1.1.1 MR4 build 8.1.1.329
Symantec Client Security 1.1.1 MR3 build 8.1.1.323
Symantec Client Security 1.1.1 MR2 build 8.1.1.319
Symantec Client Security 1.1.1 MR1 build 8.1.1.314a
Symantec Client Security 1.1.1 MR6 b8.1.1.266
Symantec Client Security 1.1.1
Symantec Client Security 1.1 STM b8.1.0.825a
Symantec Client Security 1.1
Symantec Client Security 1.0.1 MR8 build 8.01.471
Symantec Client Security 1.0.1 MR7 build 8.01.464
Symantec Client Security 1.0.1 MR6 build 8.01.460
Symantec Client Security 1.0.1 MR5 build 8.01.457
Symantec Client Security 1.0.1 MR4 build 8.01.446
Symantec Client Security 1.0.1 MR3 build 8.01.434
Symantec Client Security 1.0.1 build 8.01.437
Symantec Client Security 1.0.1 MR9 b8.01.501
Symantec Client Security 1.0.1 MR2 b8.01.429c
Symantec Client Security 1.0.1 MR1 b8.01.425a/b
Symantec Client Security 1.0.1
Symantec Client Security 1.0 .0 b8.01.9378
Symantec Client Security 1.0 b8.01.9374
Symantec Client Security 1.0
Symantec AntiVirus Corporate Edition 10.0.2 .2011
Symantec AntiVirus Corporate Edition 10.0.2 .2010
Symantec AntiVirus Corporate Edition 10.0.2 .2002
Symantec AntiVirus Corporate Edition 10.0.2 .2001
Symantec AntiVirus Corporate Edition 10.0.2 .2000
Symantec AntiVirus Corporate Edition 10.0
Symantec AntiVirus Corporate Edition 9.0.5
Symantec AntiVirus Corporate Edition 9.0.4
Symantec AntiVirus Corporate Edition 9.0.3 .1000
Symantec AntiVirus Corporate Edition 9.0.2 .1000
Symantec AntiVirus Corporate Edition 9.0.1 .1.1000
Symantec AntiVirus Corporate Edition 9.0 .0.338
Symantec AntiVirus Corporate Edition 9.0
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.329
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.323
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.319
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.314a
Symantec AntiVirus Corporate Edition 8.1.1 .377
Symantec AntiVirus Corporate Edition 8.1.1 .366
Symantec AntiVirus Corporate Edition 8.1.1
Symantec AntiVirus Corporate Edition 8.1 build 8.01.471
Symantec AntiVirus Corporate Edition 8.1 build 8.01.464
Symantec AntiVirus Corporate Edition 8.1 build 8.01.460
Symantec AntiVirus Corporate Edition 8.1 build 8.01.457
Symantec AntiVirus Corporate Edition 8.1 build 8.01.446
Symantec AntiVirus Corporate Edition 8.1 build 8.01.437
Symantec AntiVirus Corporate Edition 8.1 build 8.01.434
Symantec AntiVirus Corporate Edition 8.1 .0.825a
Symantec AntiVirus Corporate Edition 8.1
Symantec Client Security 3.0.2 .2020
Symantec Client Security 2.0.5 build 1100
Symantec Client Security 1.1.1 build 393
Symantec AntiVirus Corporate Edition 10.0.2 .2020
Symantec AntiVirus Corporate Edition 9.0.5 .1100
Symantec AntiVirus Corporate Edition 8.1.1 build 393

- 不受影响的程序版本

Symantec Client Security 3.0.2 .2020
Symantec Client Security 2.0.5 build 1100
Symantec Client Security 1.1.1 build 393
Symantec AntiVirus Corporate Edition 10.0.2 .2020
Symantec AntiVirus Corporate Edition 9.0.5 .1100
Symantec AntiVirus Corporate Edition 8.1.1 build 393

- 漏洞讨论

Symantec AntiVirus Corporate Edition is prone to multiple format-string vulnerabilities because it fails to properly sanitize user-supplied input before using it in the format-specifier argument to a formatted-printing function.

Successfully exploiting these vulnerabilities may allow an attacker to execute arbitrary machine code with SYSTEM-level privileges. Attackers may also crash the Real Time Virus Scan service.

- 漏洞利用

Currently we are not aware of any exploits for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Symantec has released an advisory along with fixes to address these issues. Please see the referenced advisory for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站