Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: CVE-2016-2208 Symantec Antivirus Engine Malformed PE Header Parser Memory Access Violation - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
CVE-2016-2208 Symantec Antivirus Engine Malformed PE Header Parser Memory Access Violation

More vulnerabilities! This time the Symantec Antivirus engine. There is a buffer overflow that can be triggered by malformed PE executables is the SizeofRawData PE attribute is greater than SizeofImage PE attribute. Exploiting this bug will give the attacker root in UNIX and kernel memory corruption in Windows being able to execute anything with maximum privileges. This bug can be dangerous because the PE malformation is not usually checked within Antivirus, Host IPS platform or proxies.

Want to perform a PoC yourself? Download the test file . If vulnerable, a kernel panic like this in Windows systems should appear.

You should patch this vulnerability ASAP with Symantec Antivirus Engine 20151.1.1.4. Red the full Symantec Advisory here.

We are unaware of exploits in the wild for this vulnerability. If you notice one, please let us know by our contact form.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

182 Posts
ISC Handler
It's nice that Symantec posted this => Symantec Antivirus Engine 20151.1.1.4

with reassurances that it is what results when we run Live Update; however, along the lines of "Trust but Verify", where do we find it?

Not to be found in Help=>About or any of the usual places, they've made the interface cute and user friendly by eliminating anything useful. But then it's Norton/Symantec...

Causing a Kernel Panic just to be sure is kind of drastic.
Anonymous

Posts
If you're a SEPM administrator this article helps you on how to identify affected clients and apply the LU (which is done automatically for most of setups).

http://www.symantec.com/connect/forums/run-liveupdate-correct-symantec-antivirus-engine-malformed-pe-header-parser-memory-access-vio
Anonymous

Posts
You find the file here:

C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Data\Definitions\VirusDefs\

Its in a folder with the most recent definitions date - something like: 20160517.064

Within that folder look for a file called: NAVENG32.DLL, right click, properties and under the Details tab will be the Product Version.

:)
Ender

5 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!