A PowerPoint PPT file is a complicated OLE compound document comprising of a series of streams. The format is described by Microsoft in [MS-PPT].
Symantec have implemented an I/O abstraction layer for seeking within the streams of a compound document, which they use to extract embedded objects like VBA macros and so on. Unfortunately, a bug in this I/O abstraction results in a critical security vulnerability. The bug occurs when a read request can be satisfied from the cache, but from a non-zero start offset. In this case, the request size is always rounded to (CACHE_SIZE - Offset), which may not be correct.
For example, a read request that can be satisfied from the stream cache in these ways:
| CACHE |
1. <---------> Non-zero offset, but entire cache needed.
2. <------> Zero offset, but not the entire cache.
3. <----------------------> Entire cache.
4. <----> Non-zero offset and not entire cache.
All of these cases work fine except 4, where a buffer overflow occurs, because the request is rounded up to (CACHE_SIZE - Offset). It seems incredible that this bug wasn't found during testing or even on ITW documents just by chance. Nevertheless, by carefully constructing a powerpoint file with a series of records that massage the cache with a series of records, we can trigger a stack buffer overflow of attacker controlled data.
The easiest way to do this is via PPFindRecSet in libdec2ss (this is part of ccScanw.dll on Windows). Early on when processing powerpoint documents Symantec attempt to find the last edit via RT_UserEditAtom, then extract a set of records for RT_List and RT_ExternalObjectList allowing us to massage the stream cache appropriately.
Naturally, Symantec disable /GS on Windows and do not use -fstack-protector, making exploitation absolutely trivial. The attached document redirects execution to 0x41414141 reliably on Windows.
(1074.a14): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=000025a0 ecx=00000200 edx=000025a0 esi=0396e358 edi=00002524
eip=41414141 esp=056df558 ebp=00000000 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
41414141 ?? ???
0:065> lmv m ccScanW
start end module name
65820000 65a4f000 ccScanw (deferred)
Image path: C:\Program Files (x86)\Norton Security\Engine\126.96.36.199\ccScanw.dll
Image name: ccScanw.dll
Timestamp: Tue Jan 26 13:51:55 2016 (56A7EA7B)
File version: 188.8.131.52
Product version: 184.108.40.206
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
CompanyName: Symantec Corporation
ProductName: Symantec Security Technologies
FileDescription: Symantec Scan Engine
LegalCopyright: Copyright (c) 2015 Symantec Corporation. All rights reserved.
The fix is simply to round up requests to MIN(RequestSize, CACHE_SIZE).
I verified this bug exists on the following products:
* Norton Antivirus (All Platforms)
* Symantec Endpoint (All Platforms)
* Symantec Scan Engine (All Platforms)
* Symantec Email Security (All Platforms)
And probably all other Symantec and Norton branded products.
PPGetVBAEmbedListInfo() uses PPFindRecSet(), which is definitely the easiest way to exploit this. The prototype is something like:
int PPFindRecSet(tagSS_STREAM *stream,
Proof of Concept: