[Reversemode Advisory] Symantec Antivirus Engine Privilege Escalation

2006-10-07T00:00:00
ID SECURITYVULNS:DOC:14574
Type securityvulns
Reporter Securityvulns
Modified 2006-10-07T00:00:00

Description

Symantec Antivirus Engine is prone to a local privilege escalation vulnerability.

Two Device Drivers are affected: NAVEX15.sys, NAVENG.sys.

NAVEX15.sys

LOW CONSTANT VALUE

PAGE:0004B611 sub edx, 222AD3h PAGE:0004B617 push esi PAGE:0004B618 jz short loc_4B63C

loc_4B63C: mov edx, [ecx+3Ch] PAGE:0004B63F test edx, edx PAGE:0004B641 jz short loc_4B653 PAGE:0004B643 push 4 PAGE:0004B645 pop esi PAGE:0004B646 cmp [eax+4], esi PAGE:0004B649 jnz short loc_4B653 PAGE:0004B64B mov dword ptr [edx], 200h // No check

EDX= controlled.

HIGH CONSTANT VALUE

PAGE:0004B61A push 4 PAGE:0004B61C pop esi PAGE:0004B61D sub edx, esi PAGE:0004B61F jnz short loc_4B653 PAGE:0004B621 mov edx, [ecx+3Ch] PAGE:0004B624 test edx, edx PAGE:0004B626 jz short loc_4B653 PAGE:0004B628 cmp [eax+4], esi PAGE:0004B62B jnz short loc_4B653 PAGE:0004B62D mov dword ptr [edx], offset sub_4B71B //No Check

EDX= controlled.

Attack vectors: Symantec and Norton-antivirus products for Microsoft Platforms.

Exploits: I have decided to release public exploit code for these flaws, in order to show that every kernel memory overwritting can be exploited, even if we are not controlling the values.

Six exploits, based on these flaws, are available for download at www.reversemode.com

References: http://securityresponse.symantec.com/avcenter/security/Content/2006.10.05a.html http://www.idefense.com/intelligence/vulnerabilities/display.php?id=417

Regards, Ruben Santamarta.


www.reversemode.com