<<< Date Index >>>     <<< Thread Index >>>

[Reversemode Advisory] Symantec Antivirus Engine Privilege Escalation




Symantec Antivirus Engine is prone to a local privilege escalation
vulnerability.

Two Device Drivers are affected:  NAVEX15.sys, NAVENG.sys.

NAVEX15.sys

#LOW CONSTANT VALUE

PAGE:0004B611                 sub     edx, 222AD3h
PAGE:0004B617                 push    esi
PAGE:0004B618                 jz      short loc_4B63C

loc_4B63C:
                                          mov     edx, [ecx+3Ch]
PAGE:0004B63F                 test    edx, edx
PAGE:0004B641                 jz      short loc_4B653
PAGE:0004B643                 push    4
PAGE:0004B645                 pop     esi
PAGE:0004B646                 cmp     [eax+4], esi
PAGE:0004B649                 jnz     short loc_4B653
PAGE:0004B64B                 mov     dword ptr [edx], 200h  // No check

EDX= controlled.

#HIGH CONSTANT VALUE

PAGE:0004B61A                   push    4
PAGE:0004B61C                   pop     esi
PAGE:0004B61D                   sub     edx, esi
PAGE:0004B61F                   jnz     short loc_4B653
PAGE:0004B621                   mov     edx, [ecx+3Ch]
PAGE:0004B624                   test    edx, edx
PAGE:0004B626                   jz      short loc_4B653
PAGE:0004B628                   cmp     [eax+4], esi
PAGE:0004B62B                   jnz     short loc_4B653
PAGE:0004B62D                   mov     dword ptr [edx], offset
sub_4B71B //No Check

EDX= controlled.

Attack vectors:
Symantec and Norton-antivirus products for Microsoft Platforms.

Exploits:
I have decided to release public exploit code for these flaws, in order
to show that every kernel memory overwritting can be exploited, even if
we are not controlling the values.

Six exploits, based on these flaws, are available for download at
www.reversemode.com



References:
http://securityresponse.symantec.com/avcenter/security/Content/2006.10.05a.html
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=417


Regards,
Rubén Santamarta.

----
www.reversemode.com