Symantec AntiVirus - Unpacking RAR Multiple Remote Memory Corruptions







Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)



A major component of the Symantec Antivirus scan engine is the "Decomposer", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITY\SYSTEM on Windows, and root on Linux and Mac. It is self-evident from looking at the decomposer code that Symantec have based the RAR decompression on the open-source unrar package from RAR labs (Note: this is permitted by the unrar license).

By comparing Symantec's code to the open source code, I have determined that Symantec are probably using version 4.1.4 of the unrar code, released in January 2012. The most current version is version 5.3.11.

Between the version of unrar that Symantec runs as NT AUTHORITY\SYSTEM to unpack untrusted binaries received over the network and the the current version, literally hundreds of critical memory corruption bugs have been resolved.

I have verified that multiple publicly known vulnerabilities affect Symantec, and can result in remote code execution as NT AUTHORTITY\SYSTEM on Windows and root on Linux and Mac.

I have verified this on the following products:

    Norton Antivirus, Windows
    Symantec Endpoint Protection, Linux and Windows
    Symantec Scan Engine, Linux and Windows

Presumably this affects all other Symantec products using the core Symantec scan engine.

In my opinion, I'm being exceptionally generous considering this issue a new vulnerability and not public information. Frankly, it is astonishing that Symantec do not track new releases of third party code they use. I think you should take this opportunity to check all other third party code you're using to verify you haven't fallen behind.

I've attached a trivial example that modifies an arbitrary index in the PlaceA[] array via Unpack::ShortLZ(). 

(534.adc): Access violation - code c0000005 (!!! second chance !!!)
eax=14858d00 ebx=07da63e0 ecx=07da65ec edx=fb6e43a0 esi=07da6370 edi=daf72217
eip=6d7b4016 esp=0da8d260 ebp=0da8d27c iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
6d7b4016 8994be005d0000  mov     dword ptr [esi+edi*4+5D00h],edx ds:002b:73b748cc=14858d00
0:052> lm v mccScanw
start    end        module name
6d690000 6d8bf000   ccScanw    (export symbols)       C:\Program Files (x86)\Norton Security\Engine\\ccScanw.dll
    Loaded symbol image file: C:\Program Files (x86)\Norton Security\Engine\\ccScanw.dll
    Image path: C:\Program Files (x86)\Norton Security\Engine\\ccScanw.dll
    Image name: ccScanw.dll
    Timestamp:        Tue Jan 26 13:51:55 2016 (56A7EA7B)
    CheckSum:         0022B3ED
    ImageSize:        0022F000
    File version:
    Product version:
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Symantec Corporation
    ProductName:      Symantec Security Technologies
    InternalName:     ccScan
    OriginalFilename: CCSCAN.DLL
    FileDescription:  Symantec Scan Engine
    LegalCopyright:   Copyright (c) 2015 Symantec Corporation. All rights reserved.

These bugs are obviously exploitable for remote code execution on all Symantec customer machines as root or SYSTEM.

Proof of Concept: