Symantec cliproxy ActiveX Control BO

February 26, 2010

Symantec Antivirus and Symantec Client Security are applications designed to protect against the threat of viruses, malware, and other intrusion attempts. These applications use the Microsoft Windows COM framework to implement some of their functionality. This is done with ActiveX controls contained in the linked library Cliproxy.dll. The library provides the ActiveX control cliproxy.objects having the clsid E381F1C0-910E-11D1-AB1E-00A0C90F8F6F.
This control can be instantiated like all other ActiveX controls, with HTML or script code in a web page. Because the control is proprietary and undocumented, the details of its methods and properties are not known. One exposed method in particular provided by the control is SetRemoteComputerName. The method is defined as follows:

void SetRemoteComputerName(BSTR computer)

A vulnerability exists in the cliproxy.objects ActiveX control shipped in the Symantec Antivirus and Symantec Client Security applications. The flaw is created by an improperly implemented boundary check in the SetRemoteComputerName method. When an overly long argument is passed to the affected method, a heap buffer may be overran with user supplied data corrupting critical memory. A skilled attacker may exploit the flaw leading to injection and execution of arbitrary code. The ActiveX control is marked safe for scripting on default installations which opens up remote exploitation opportunities. The vulnerability has been assigned the id CVE-2010-0108 by Mitre. SonicWALL has released a generic IPS signature addressing this vulnerability. The following signature was released:

  • 3190 - Symantec CLIproxy.dll ActiveX SetRemoteComputerName Invocation

In addition to this targeted IPS signature, SonicWALL has numerous generic signatures that proactively catch exploit attempts addressing this, and other web client exploitation attempts.