UPX parsing engine heap overflow vulnerability and Symantec Client Security

Article:TECH101078  |  Created: 2005-01-09  |  Updated: 2007-01-13  |  Article URL http://www.symantec.com/docs/TECH101078
Article Type
Technical Solution


Environment

Issue



You have heard about the UPX parsing engine heap overflow vulnerability. You want to know whether your Symantec Client Security product is vulnerable and how to mitigate the vulnerability if it is.


Solution



Affected versions
For a complete list of all Symantec products affected by the vulnerability, read the official Symantec statement on the Symantec Security Response Web site. The latest builds of all of the Symantec Client Security products are unaffected by the vulnerability.

Symantec Client Security 2.0 and Symantec AntiVirus Corporate Edition 9.0
Symantec Client Security 2.0 and Symantec AntiVirus Corporate Edition 9.0 are not affected by the vulnerability.

It was previously reported that the original shipping build of Symantec Client Security was vulnerable. While the shipping build did contain the vulnerable Dec2EXE.dll engine file and later builds did not, the vulnerable file is not called by Symantec AntiVirus, and is never loaded. Because the Dec2EXE.dll file is never loaded into memory, the build is not vulnerable.

Symantec Client Security 1.0 and Symantec AntiVirus Corporate Edition 8.0
The vulnerability of Symantec Client Security 1.0 and 1.1 depends on the version of Symantec AntiVirus Corporate Edition included. The vulnerability of each of the versions of Symantec AntiVirus Corporate Edition is as follows:

Build
Comment
Vulnerable?
8.1.0.825a
Initial shipping build
No
8.1.1.314a
MR1
Yes
8.1.1.319
MR2
Yes
8.1.1.323
MR3
Yes
8.1.1.329
MR4
Yes
8.1.1.336
MR5
Yes
8.1.1.366
MR6
No


Build
Comment
Vulnerable?
8.0.0.9374
Initial shipping build
No
8.0.0.9378
N/A
No
8.0.1.425
MR1
No
8.0.1.429c
MR2
No
8.0.1.434
MR3
Yes
8.0.1.437
N/A
Yes
8.0.1.446
MR4
Yes
8.0.1.457
MR5
Yes
8.0.1.460
MR6
Yes
8.0.1.464
MR7
Yes
8.0.1.471
MR8
Yes
8.0.1.501
MR9
No


Norton AntiVirus Corporate Edition 7.x
Norton AntiVirus Corporate Edition 7.x is not affected by the vulnerability.

Symantec Client Security for Nokia Communicator and Symantec AntiVirus for Handhelds
The handheld products are not affected by the vulnerability.


Mitigation
There are three ways to remove the UPX vulnerability in Symantec Client Security or Symantec AntiVirus:
  • Upgrade to a build that is not affected by the vulnerability
  • Disable the vulnerable decomposer engine by using the nodec2exe.exe tool
  • Disable the vulnerable decomposer engine manually by editing a configuration file

In addition, Symantec Security Response has added a Bloodhound heuristic detection, Bloodhound.Exploit.26, to preemptively detect any files that could potentially exploit the vulnerability.

To upgrade to a build that is not affected by the vulnerability
For information on obtaining a build that does not have this vulnerability, read the document How to obtain an update or an upgrade for your Symantec Corporate product.


To use the Nodec2exe.exe tool
Symantec has created a tool, nodec2exe.exe, to disable the DEC2EXE engine file in Symantec AntiVirus Corporate Edition versions 8.0x and 8.1x.

To run the tool silently, add /S to the command line.
The tool must be run with Administrator or System account privileges.

Functionality of the Nodec2exe.exe tool
  1. When the tool is run, it checks the registry for the location of the Symantec AntiVirus installation folder. If it does not find the registry key, the tool assumes Symantec AntiVirus is not installed, and terminates.
  2. The tool opens and reads the Dec3.cfg file in the Symantec AntiVirus installation folder.
  3. If the tool finds the Dec2Exe.dll entry, it renames the Dec3.cfg file to Dec3.xxx, and creates a new Dec3.cfg file.
  4. The contents of the old file are copied to the new file.
  5. The tool edits the new copy of the Dec3.cfg file to decrement the total engine count by 1, and removes the Dec2Exe.dll entries.
  6. If the file was successfully updated, the tool deletes the Dec3.xxx file.

After running the tool, restart the Symantec AntiVirus service for the changes to take effect.


To disable the vulnerable Dec2EXE.dll file manually
  1. In Windows Explorer, open the Symantec AntiVirus installation folder.
    The location of this folder varies by product and operating system.
  2. Open the file Dec3.cfg in a text editor such as Notepad.
  3. Locate the fifth line of the file.
    The fifth line is a number that corresponds to the number of .dll files listed below. Verify that this is the case.
  4. Reduce the number in the fifth line by 1.
  5. Find the following line:

    Dec2EXE.dll

  6. Delete the line immediately after the Dec2EXE.dll line.
    The contents of the line following Dec2EXE.dll should be a number.
  7. Delete the Dec2EXE.dll line.
  8. Close and save the Dec3.cfg file.
  9. Do one of the following:
    • On Windows NT, 2000, XP or 2003, restart the Symantec AntiVirus service.
    • On Windows 98 or Me, restart the computer.

This procedure disables the Dec2EXE.dll file. After the file is disabled, Symantec Client Security and Symantec AntiVirus are no longer vulnerable.


Example:
The following is an example of the contents of the Dec3.cfg file before and after the alteration. Bold emphasis has been added to the lines that are altered.

Before alterationAfter alteration
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus
1000000
16384
500000
16
Dec2ID.dll
10
Dec2UUE.dll
23
Dec2AMG.dll
1
Dec2ARJ.dll
3
Dec2CAB.dll
4
Dec2EXE.dll
5
Dec2GZIP.dll
7
Dec2HQX.dll
8
Dec2LHA.dll
12
Dec2LZ.dll
14
Dec2MIME.dll
15
Dec2SS.dll
18
Dec2RTF.dll
20
Dec2TAR.dll
21
Dec2TNEF.dll
22
Dec2ZIP.dll
24
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus
1000000
16384
500000
15
Dec2ID.dll
10
Dec2UUE.dll
23
Dec2AMG.dll
1
Dec2ARJ.dll
3
Dec2CAB.dll
4
Dec2GZIP.dll
7
Dec2HQX.dll
8
Dec2LHA.dll
12
Dec2LZ.dll
14
Dec2MIME.dll
15
Dec2SS.dll
18
Dec2RTF.dll
20
Dec2TAR.dll
21
Dec2TNEF.dll
22
Dec2ZIP.dll
24







Legacy ID



2005020911112648


Article URL http://www.symantec.com/docs/TECH101078


Terms of use for this information are found in Legal Notices