[Reversemode Advisory] Symantec Antivirus Engine Privilege Escalation
Symantec Antivirus Engine is prone to a local privilege escalation
vulnerability.
Two Device Drivers are affected: NAVEX15.sys, NAVENG.sys.
NAVEX15.sys
#LOW CONSTANT VALUE
PAGE:0004B611 sub edx, 222AD3h
PAGE:0004B617 push esi
PAGE:0004B618 jz short loc_4B63C
loc_4B63C:
mov edx, [ecx+3Ch]
PAGE:0004B63F test edx, edx
PAGE:0004B641 jz short loc_4B653
PAGE:0004B643 push 4
PAGE:0004B645 pop esi
PAGE:0004B646 cmp [eax+4], esi
PAGE:0004B649 jnz short loc_4B653
PAGE:0004B64B mov dword ptr [edx], 200h // No check
EDX= controlled.
#HIGH CONSTANT VALUE
PAGE:0004B61A push 4
PAGE:0004B61C pop esi
PAGE:0004B61D sub edx, esi
PAGE:0004B61F jnz short loc_4B653
PAGE:0004B621 mov edx, [ecx+3Ch]
PAGE:0004B624 test edx, edx
PAGE:0004B626 jz short loc_4B653
PAGE:0004B628 cmp [eax+4], esi
PAGE:0004B62B jnz short loc_4B653
PAGE:0004B62D mov dword ptr [edx], offset
sub_4B71B //No Check
EDX= controlled.
Attack vectors:
Symantec and Norton-antivirus products for Microsoft Platforms.
Exploits:
I have decided to release public exploit code for these flaws, in order
to show that every kernel memory overwritting can be exploited, even if
we are not controlling the values.
Six exploits, based on these flaws, are available for download at
www.reversemode.com
References:
http://securityresponse.symantec.com/avcenter/security/Content/2006.10.05a.html
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=417
Regards,
Rubén Santamarta.
----
www.reversemode.com