[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SEP(Symantec) Bug

Hey Jon,

I am sorry about the space after the "~", That was a typo.

Its been tested it on all the versions prior to MR4MP1 since the RTM(11.0.776)

But what's interesting is that the process isn't crashing. But a possible arbitrary execution of code.

I will do some more research into it to come up with an exploit with it.

Thank you.

Regards, Sandeep

From: "Jon Kloske" <jon@xxxxxxxxx>
Sent: Friday, February 13, 2009 9:11 AM
To: "Sandeep Cheema" <51l3n7@xxxxxxx>
Cc: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: SEP(Symantec) Bug

Hi Sandeep,

Are you saying this is supposed to affect 11.0.4000.x? If so, what
sub-sub-minor versions did you test it on?

I just tested this on 11.0.4000.2295 (on a managed client) and all it
did was crash the smc.exe process started by the command you supplied,
not smcgui.exe process. I tested as an administrator and an unprivileged
user and got the same results - smc.exe crashes, but not the smcgui.exe

It would be interesting if you could provide more information, since if
this is actually doing what you say it's doing it would be a horrifying
attack vector for worms and viruses.

As an aside, I noticed that if I run "smc.exe -p" it crashes too, with
or without the tilde ("~") on the end. If I run "smc -p" (omit the .exe)
it doesn't crash, but "smc -p ~" crashes. (qualifying note: in all these
cases this is just the smc.exe process that was started by the command
that crashed, not the smcgui.exe process.) And yes, I tried adding the
space after the tilde as you originally quoted in the email :)


ps: A list of smc.exe command line parameters is available here:

Jon Kloske [ITIG]
Systems Programming Manager
jon@xxxxxxxxx :: x54193 :: 78-516B
Faculty of EAIT, UQ :: CRICOS No. 00025B

-----Original Message-----
From: Sandeep Cheema [mailto:51l3n7@xxxxxxx]
Sent: Friday, 13 February 2009 12:16 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SEP(Symantec) Bug


There is a bug with the "Symantec Endpoint Protection"( Tested on all
versions till 11.0.4000)

When you execute the following command "smc.exe -p ~ " the smcgui.exe
crashes. You don't need admin privilege for this.

Regards, Sandeep