Symantec Norton Security IDSvix86 PE Remote System Denial of Service Vulnerability(CVE-2016-5308)

### SUMMARYA denial of service vulnerability exists in the Portable Executable file scanning functionality of Symantec Norton Security. A specially crafted PE file can cause an access violation in IDSvix86 kernel driver resulting in denial of service. An attacker can trigger this vulnerability for example by emailing the victim the forged file.### TESTED VERSIONSSymantec Corporation Norton Security 22.6.0.142, IDSvix86 driver version 15.1.0.1263### PRODUCT URLshttp://norton.com### CVSSv3 SCORE7.5 – CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:H### DETAILSThis vulnerability occurs when Norton is trying to parse specifically crafted file Portable Executable file.The faulting code is located in the IDSvix86 driver:“`caller:.text:00047965 push edi ; Section Raw Data.text:00047966 lea ecx, [ebp+arg0_StackBuff].text:00047969 push ecx ; StackBuff.text:0004796A call BugProcBugProc:.text:00058DC2 push ebp.text:00058DC3 mov ebp, esp.text:00058DC5 push ebx.text:00058DC6 push esi.text:00058DC7 mov esi, [ebp+arg0_StackBuff].text:00058DCA mov ecx, [esi+10h] ; ecx=0.text:00058DCD mov eax, ecx.text:00058DCF push edi.text:00058DD0 mov edi, [ebp+SectionRawSize] ; edi=raw size….text:00058E26 loop_until_all_data: ; CODE XREF: BugProc+7Dj.text:00058E26 mov edx, [ebp+arg4_SectionRawData].text:00058E29 lea eax, [edx+ebx-3Fh] .text:00058E2D push eax ; read buff (raw section data + offset).text:00058E2E push esi ; store buff (stack).text:00058E2F call MD5Compress.text:00058E34 add [ebp+arg0_StackBuff], 40h.text:00058E38 add ebx, 40h.text:00058E3B cmp ebx, edi.text:00058E3D jb short loop_until_all_data ; until raw size“`Loop at 0x00058E26 is executed till the counter ebx is less than section's raw size (comparison at 0x00058E3B) which is controlled freely by the attacker. If the SectionRawData parameter is big enough it can cause the MD5Compress function to access memory which is currently unavailable causing the machine to crash.CRASH INFORMATION“`kd> !analyze -v******************************************************************************** ** Bugcheck Analysis ** ********************************************************************************PAGE_FAULT_IN_NONPAGED_AREA (50)Invalid system memory was referenced. This cannot be protected by try-except,it must be protected by a Probe. Typically the address is just plain bad or itis pointing at freed memory.Arguments:Arg1: a5fa9003, memory referenced.Arg2: 00000000, value 0 = read operation, 1 = write operation.Arg3: 8cd55713, If non-zero, the instruction address which referenced the bad memory address.Arg4: 00000000, (reserved)Debugging Details:——————READ_ADDRESS: a5fa9003 Paged poolFAULTING_IP: IDSvix86+487138cd55713 0fb67001 movzx esi,byte ptr [eax+1]MM_INTERNAL_CODE: 0IMAGE_NAME: IDSvix86.sysDEBUG_FLR_IMAGE_TIMESTAMP: 5723ac68MODULE_NAME: IDSvix86FAULTING_MODULE: 8cd0d000 IDSvix86DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULTBUGCHECK_STR: 0x50PROCESS_NAME: svchost.exeCURRENT_IRQL: 2ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64freTRAP_FRAME: 922ab500 — (.trap 0xffffffff922ab500)ErrCode = 00000000eax=a5fa9002 ebx=00000000 ecx=922ab590 edx=0000000c esi=00000000 edi=922ab60ceip=8cd55713 esp=922ab574 ebp=922ab5c4 iopl=0 nv up ei pl nz na pe nccs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206IDSvix86+0x48713:8cd55713 0fb67001 movzx esi,byte ptr [eax+1] ds:0023:a5fa9003=??Resetting default scopeLAST_CONTROL_TRANSFER: from 8291c083 to 828b8110STACK_TEXT: 922ab04c 8291c083 00000003 43e8c867 00000065 nt!RtlpBreakWithStatusInstruction922ab09c 8291cb81 00000003 845d1d48 0000598a nt!KiBugCheckDebugBreak+0x1c922ab460 828cb41b 00000050 a5fa9003 00000000 nt!KeBugCheck2+0x68b922ab4e8 8287e3d8 00000000 a5fa9003 00000000 nt!MmAccessFault+0x106922ab4e8 8cd55713 00000000 a5fa9003 00000000 nt!KiTrap0E+0xdcWARNING: Stack unwind information not available. Following frames may be wrong.922ab5c4 8cd55e34 922ab60c a5fa8ff0 a5f963f0 IDSvix86+0x48713922ab5e0 8cd4496f 00012c00 a5f963f0 ffffffff IDSvix86+0x48e34922ab668 8cd455e1 922ab6c0 88394008 922ab694 IDSvix86+0x3796f922ab678 8cd458f9 922ab6c0 88e61250 00000000 IDSvix86+0x385e1922ab694 8cd25737 922ab6c0 88e59538 88e61198 IDSvix86+0x388f9922ab6d4 8752579c a3a065a8 40000002 00000002 IDSvix86+0x18737922ab728 8752980f a3a065a8 88e61198 a30e7f58 SYMEFASI+0x11179c922ab75c 87528e79 88e61198 922ab7a4 a3a71008 SYMEFASI+0x11580f922ab774 9c8a7cd4 00000002 922ab798 00000002 SYMEFASI+0x114e79922ab7b0 9c8aa3f9 828ffb87 a3a7100c a3a71008 SRTSP+0x95cd4922ab7f8 9c8aa6c8 a3a71008 9658fbd0 0b0899ec SRTSP+0x983f9922ab818 9c865e49 922ac000 0b0899ec 828746e1 SRTSP+0x986c8922ab834 9c8660c5 922ab88c 9658fbd0 62ca0002 SRTSP+0x53e49922ab854 9c83ed44 847db748 847db800 847db7a8 SRTSP+0x540c5922ab868 86e93324 847db7a8 9658fbd0 00000000 SRTSP+0x2cd44922ab8d0 86e96512 007db748 847db748 1000000c fltmgr!FltpPerformPostCallbacks+0x24a922ab8e4 86e96b46 847db748 8478c618 922ab924 fltmgr!FltpProcessIoCompletion+0x10922ab8f4 86e9729c 856127a8 8478c618 847db748 fltmgr!FltpPassThroughCompletion+0x98922ab924 86eaa8c9 922ab944 00000000 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x33a922ab970 82874593 856127a8 8562e008 8453ef24 fltmgr!FltpCreate+0x2db922ab988 82a842a9 43e8c29b 922abb30 00000000 nt!IofCallDriver+0x63922aba60 82a63ac5 855d6e20 853aed20 84734498 nt!IopParseDevice+0xed7922abadc 82a73ed6 00000000 922abb30 00000040 nt!ObpLookupObjectName+0x4fa922abb38 82a6a9b4 010eedd4 843aed20 00000001 nt!ObOpenObjectByName+0x165922abbb4 82a8e218 010eee30 80100080 010eedd4 nt!IopCreateFile+0x673922abc00 8287b1ea 010eee30 80100080 010eedd4 nt!NtCreateFile+0x34922abc00 77a370b4 010eee30 80100080 010eedd4 nt!KiFastCallEntry+0x12a010eed90 77a355d4 75dcaa21 010eee30 80100080 ntdll!KiFastSystemCallRet010eed94 75dcaa21 010eee30 80100080 010eedd4 ntdll!NtCreateFile+0xc010eee38 75dcca9c 00000060 80100080 00000005 KERNELBASE!CreateFileW+0x35e010eefb4 75dcbb5d 010eefe0 010eefd8 00000020 KERNELBASE!BasepLoadLibraryAsDataFileInternal+0x280010eefec 75a488c4 01a9d270 00000000 00000001 KERNELBASE!LoadLibraryExW+0xf6010ef030 75a4888b 00000001 01a9d270 00008001 apphelp!GetFileVersionInfoSizeExW+0x30010ef044 75a487d2 01a9d270 010ef068 2137837f apphelp!GetFileVersionInfoSizeW+0x12010ef094 75a455d5 02a123c0 01a9d080 01a9d140 apphelp!SdbpGetVersionAttributes+0xdd010ef0a8 75a4556c 02a123c0 01a9d080 00006014 apphelp!SdbpGetAttribute+0xa9010ef0dc 75a45476 02a123c0 01a9d080 00006014 apphelp!SdbpCheckAttribute+0xaf010ef10c 75a4538f 02a123c0 01af4b98 000331e6 apphelp!SdbpCheckAllAttributes+0xa1010ef3bc 75a45064 02a123c0 01af4b98 00033198 apphelp!SdbpCheckForMatch+0x560010ef3f4 75a457a0 02a123c0 00000000 00033198 apphelp!SdbpCheckExe+0x1c1010ef470 75a44cc8 02a123c0 01af4b98 00007007 apphelp!SdbpSearchDB+0xa2010ef7b0 75a42f2d 02a123c0 00153080 00000000 apphelp!SdbGetMatchingExeEx+0x3ee010efa54 75a431ca 000001bc 00000000 00000000 apphelp!InternalCheckRunApp+0x2eb010efab8 730113b7 000001bc 00000000 00000000 apphelp!ApphelpCheckRunAppEx+0xed010efb7c 7301150f 01100808 01b09058 010efbb0 aelupsvc!AelpProcessCacheExeMessage+0x20d010efb8c 77a02661 010efbec 011008c0 01b09058 aelupsvc!AelTppWorkCallback+0x19010efbb0 77a20842 010efbec 01b090b8 76a2c554 ntdll!TppWorkpExecuteCallback+0x10f010efd10 76773c45 01b0c500 010efd5c 77a537f5 ntdll!TppWorkerThread+0x572010efd1c 77a537f5 01b0c500 76a2c518 00000000 kernel32!BaseThreadInitThunk+0xe010efd5c 77a537c8 77a203e7 01b0c500 00000000 ntdll!__RtlUserThreadStart+0x70010efd74 00000000 77a203e7 01b0c500 00000000 ntdll!_RtlUserThreadStart+0x1bSTACK_COMMAND: kbFOLLOWUP_IP: IDSvix86+487138cd55713 0fb67001 movzx esi,byte ptr [eax+1]SYMBOL_STACK_INDEX: 5SYMBOL_NAME: IDSvix86+48713FOLLOWUP_NAME: MachineOwnerFAILURE_BUCKET_ID: 0x50_IDSvix86+48713BUCKET_ID: 0x50_IDSvix86+48713ANALYSIS_SOURCE: KMFAILURE_ID_HASH_STRING: km:0x50_idsvix86+48713FAILURE_ID_HASH: {3bd6bb7f-4849-a2c5-fcf6-1882fde5c02c}Followup: MachineOwner———“`### TIMELINE* 2016-05-31 – Vendor Notification * 2016-07-07 – Patch Released * 2016-07-07 – Public Disclosure