Symantec cliproxy ActiveX Control BO (Feb 26, 2010)

By

Symantec Antivirus and Symantec Client Security are applications designed to protect against the threat of viruses, malware, and other intrusion attempts. These applications use the Microsoft Windows COM framework to implement some of their functionality. This is done with ActiveX controls contained in the linked library Cliproxy.dll. The library provides the ActiveX control cliproxy.objects having the clsid E381F1C0-910E-11D1-AB1E-00A0C90F8F6F.
This control can be instantiated like all other ActiveX controls, with HTML or script code in a web page. Because the control is proprietary and undocumented, the details of its methods and properties are not known. One exposed method in particular provided by the control is SetRemoteComputerName. The method is defined as follows:

void SetRemoteComputerName(BSTR computer)

A vulnerability exists in the cliproxy.objects ActiveX control shipped in the Symantec Antivirus and Symantec Client Security applications. The flaw is created by an improperly implemented boundary check in the SetRemoteComputerName method. When an overly long argument is passed to the affected method, a heap buffer may be overran with user supplied data corrupting critical memory. A skilled attacker may exploit the flaw leading to injection and execution of arbitrary code. The ActiveX control is marked safe for scripting on default installations which opens up remote exploitation opportunities. The vulnerability has been assigned the id CVE-2010-0108 by Mitre. SonicWALL has released a generic IPS signature addressing this vulnerability. The following signature was released:

  • 3190 – Symantec CLIproxy.dll ActiveX SetRemoteComputerName Invocation

In addition to this targeted IPS signature, SonicWALL has numerous generic signatures that proactively catch exploit attempts addressing this, and other web client exploitation attempts.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.