Symantec Endpoint Protection vulnerable and no user interaction required!

Symantec's hugely popular antivirus platform Symantec Endpoint Protection (SEP) along with it's consumer version Norton have been exposed as vulnerable to a number of memory access violations, memory corruptions and buffer overflows - all without the need for any user interaction.

Tavis Ormandy of Google's Project Zero team has published on his blog a number of glaring security flaws with the antivirus suite.

A malformed PE header allows compromise of a kernel component of the Symantec Anti-Virus engine which in turn facilitates a denial of service, through a memory access violation and a system crash or the execution of arbitary code.

Due to the nature of Symantec's I/O filter operations being set to intercept any communication meant that simply sending the link or file was enough to engage interaction of the software and intiating the exploit.

As with many AV and security vendor products, Symantec's emulation functions isn't run in the recommended sandbox enviroment. Instead the vendor's unpackers are ran directly in the kernel, adding highest priviledge escalation to the extents of the exploit resulting in an accumulation of vulnerabilities to produce the perfect storm.

The remote code was found to run as SYSTEM on Microsoft based products and root on all other implementations.

Further buffer overflows were exploited by the researcher in Microsoft Power Point where the cache - which often contains the necessary data for a request, was forced into a misaligned state which in turn resulted in another successful exploit.

Symantec's Bloodhound Heuristics components were also found to be vulnerable in the research, specifically whilst configured with default settings.

After testing it appeared that default settings of Bloodhound were succeptible even when set to 'Aggressive' with memory manipluation achieveable without having to perform any memory leaking.

Symantec have responded quickly to the threat in mitigating with LiveRevision update 20160628.037