TITLE: Symantec Multiple Products UPX Parsing Engine Buffer Overflow SECUNIA ADVISORY ID: SA14179 VERIFY ADVISORY: http://secunia.com/advisories/14179/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote OPERATING SYSTEM: Symantec Gateway Security 1.x http://secunia.com/product/876/ Symantec Gateway Security 2.x http://secunia.com/product/3104/ SOFTWARE: Norton Internet Security 2004 http://secunia.com/product/2441/ Norton Internet Security 2004 Professional http://secunia.com/product/2442/ Norton SystemWorks 2004 http://secunia.com/product/2796/ Symantec AntiVirus Corporate Edition 8.x http://secunia.com/product/659/ Symantec AntiVirus Corporate Edition 9.x http://secunia.com/product/3549/ Symantec AntiVirus for Caching 4.x http://secunia.com/product/4626/ Symantec AntiVirus for Network Attached Storage 4.x http://secunia.com/product/4625/ Symantec AntiVirus for SMTP Gateways 3.x http://secunia.com/product/2231/ Symantec AntiVirus Scan Engine 4.x http://secunia.com/product/3040/ Symantec AntiVirus/Filtering for Domino http://secunia.com/product/2029/ Symantec Brightmail AntiSpam 4.x http://secunia.com/product/4627/ Symantec Brightmail AntiSpam 5.x http://secunia.com/product/4628/ Symantec Client Security 1.x http://secunia.com/product/2344/ Symantec Client Security 2.x http://secunia.com/product/3478/ Symantec Mail Security for Exchange 4.x http://secunia.com/product/2820/ Symantec Mail Security for SMTP 4.x http://secunia.com/product/3558/ Symantec Norton AntiVirus 2004 http://secunia.com/product/2800/ Symantec Norton AntiVirus for Microsoft Exchange 2.x http://secunia.com/product/1017/ Symantec Web Security 3.x http://secunia.com/product/2813/ DESCRIPTION: ISS X-Force has reported a vulnerability in multiple Symantec products, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error in the DEC2EXE parsing engine used by the antivirus scanning functionality when processing UPX compressed files. This can be exploited to cause a heap-based buffer overflow via a specially crafted UPX file. Successful exploitation allows execution of arbitrary code. The vulnerability affects the following products: * Norton AntiVirus for Microsoft Exchange 2.1 (prior to build 2.18.85) * Symantec Mail Security for Microsoft Exchange 4.0 (prior to build 4.0.10.465) * Symantec Mail Security for Microsoft Exchange 4.5 (prior to build 4.5.3) * Symantec AntiVirus/Filtering for Domino NT 3.1 (prior to build 3.1.1) * Symantec Mail Security for Domino 4.0 (prior to build 4.0.1) * Symantec AntiVirus/Filtering for Domino Ports 3.0 for AIX (prior to build 3.0.6) * Symantec AntiVirus/Filtering for Domino Ports 3.0 for OS400, Linux, Solaris (prior to build 3.0.7) * Symantec AntiVirus Scan Engine 4.3 (prior to build 4.3.3) * Symantec AntiVirus for Network Attached Storage (prior to build 4.3.3) * Symantec AntiVirus for Caching (prior to build 4.3.3) * Symantec AntiVirus for SMTP 3.1 (prior to build 3.1.7) * Symantec Mail Security for SMTP 4.0 (prior to build 4.0.2) * Symantec Web Security 3.0 (prior to build 3.0.1.70) * Symantec BrightMail AntiSpam 4.0 * Symantec BrightMail AntiSpam 5.5 * Symantec AntiVirus Corporate Edition 9.0 (prior to build 9.01.1000) * Symantec AntiVirus Corporate Edition 8.01, 8.1.1 * Symantec Client Security 2.0 (prior to build 9.01.1000) * Symantec Client Security 1.0 * Symantec Gateway Security 2.0, 2.0.1 - 5400 Series * Symantec Gateway Security 1.0 - 5300 Series * Symantec Norton Antivirus 2004 for Windows * Symantec Norton Internet Security 2004 (pro) for Windows * Symantec Norton System Works 2004 for Windows * Symantec Norton Antivirus 2004 for Macintosh * Symantec Norton Internet Security 2004 for Macintosh * Symantec Norton System Works 2004 for Macintosh * Symantec Norton Antivirus 9.0 for Macintosh * Symantec Norton Internet Security for Macintosh 3.0 * Symantec Norton System Works for Macintosh 3.0 SOLUTION: Updates are available (see the vendor advisory for details). PROVIDED AND/OR DISCOVERED BY: Alex Wheeler, ISS X-Force. ORIGINAL ADVISORY: Symantec: http://www.sarc.com/avcenter/security/Content/2005.02.08.html ISS X-Force: http://xforce.iss.net/xforce/alerts/id/187 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------