Vulnerabilities > CVE-2005-2758 - Buffer Overflow vulnerability in Symantec products

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
symantec
critical
nessus
NVD
Published: 2005-10-05
Updated: 2017-07-11

Summary

Integer signedness error in the administrative interface for Symantec AntiVirus Scan Engine 4.0 and 4.3 allows remote attackers to execute arbitrary code via crafted HTTP headers with negative values, which lead to a heap-based buffer overflow.

Vulnerable Configurations

Part Description Count
Application
Symantec
10

Nessus

NASL familyWindows
NASL idSYMANTEC_SCAN_ENGINE_SYM05_017.NASL
descriptionThe remote host has a version of Symantec AntiVirus Scan Engine installed that is affected by a buffer overflow vulnerability in the web-based administrative interface. By sending a specially crafted request, a remote attacker may be able to execute arbitrary code.
last seen2020-06-01
modified2020-06-02
plugin id67229
published2013-07-10
reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/67229
titleSymantec AntiVirus Scan Engine Web Service Administrative Interface Buffer Overflow
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(67229);
  script_version("1.5");
  script_cvs_date("Date: 2018/08/01 17:36:15");

  script_cve_id("CVE-2005-2758");
  script_bugtraq_id(15001);

  script_name(english:"Symantec AntiVirus Scan Engine Web Service Administrative Interface Buffer Overflow");
  script_summary(english:"Checks version of Symantec AntiVirus Scan Engine");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote host has software installed that is affected by a buffer
overflow vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote host has a version of Symantec AntiVirus Scan Engine
installed that is affected by a buffer overflow vulnerability in the
web-based administrative interface.  By sending a specially crafted
request, a remote attacker may be able to execute arbitrary code."
  );
  # http://securityresponse.symantec.com/avcenter/security/Content/2005.10.04.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5ceacdf3");
  script_set_attribute(attribute:"solution", value:"Upgrade to Symantec AntiVirus Scan Engine 4.3.12 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2005/10/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:antivirus_scan_engine");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");

  script_dependencies("symantec_scan_engine_installed.nasl");
  script_require_keys("SMB/symantec_scan_engine/Installed");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("smb_func.inc");

app = 'Symantec AntiVirus Scan Engine';

port = kb_smb_transport();

path = get_kb_item("Symantec/Symantec Scan Engine/Path");

if (isnull(path))
{
  path = get_kb_item_or_exit("Symantec/Symantec AntiVirus Scan Engine/Path");
  version = get_kb_item_or_exit("Symantec/Symantec AntiVirus Scan Engine/Version");
}
else version = get_kb_item_or_exit("Symantec/Symantec Scan Engine/Version");

if (
  version =~ "^4\.[03]\." &&
  ver_compare(ver:version, fix:"4.3.12", strict:FALSE) == -1
)
{
  if (report_verbosity > 0)
  {
    report +=
      '\n  Path              : ' + path +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 4.3.12\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);

References