> -----Original Message-----
> From:
> idlabs-advisories-bounces+vladimir.kazennov=billing.ru@xxxxxxx
> defense.com
> [mailto:idlabs-advisories-bounces+vladimir.kazennov=billing.ru
> @lists.idefense.com] On Behalf Of iDefense Labs Security Advisories
> Sent: Thursday, October 05, 2006 9:48 PM
> To: idlabs-advisories@xxxxxxxxxxxxxxxxxx
> Subject: iDefense Security Advisory 10.05.06: Symantec
> AntiVirus IOCTL KernelPrivilege Escalation Vulnerability
>
> Symantec AntiVirus IOCTL Kernel Privilege Escalation Vulnerability
>
> iDefense Security Advisory 10.05.06
>
> Oct 05, 2006
>
> I. BACKGROUND
>
> Symantec has a wide range of Anti-Virus and Internet Security products
> that are designed to protect users from viruses and other harmful
> software. More information can be found on the Symantec site at
>
>
> II. DESCRIPTION
>
> Local exploitation of a design error vulnerability in Symantec Corp.
> AntiVirus can allow an attacker to execute arbitrary code with kernel
> privileges.
>
> The vulnerability specifically exists due to improper address space
> validation when the NAVENG and NAVEX15 device drivers process IOCTL
> 0x222AD3, 0x222AD7, and 0x222ADB. An attacker can overwrite a user
> supplied address, including code segments, with a constant double word
> value by supplying a specially crafted Irp to the IOCTL handler
> function.
>
> III. ANALYSIS
>
> Successful exploitation allows an attacker to obtain elevated
> privileges
> by exploiting the kernel. This could allow the attacker to
> gain control
> of the affected system. However, local access is required for
> exploitation to be successful.
>
> Note that since the attacker can only overwrite with a
> constant double-
> word value, exploitation is not completely straight forward. However,
> this does not significantly impact the difficulty of
> exploitation since
> code segments can be overwritten within the kernel.
>
> iDefense has assigned a MEDIUM severity due to the
> requirement for local
> access and the ability to execute arbitrary code within the kernel.
>
> IV. DETECTION
>
> iDefense has confirmed the existence of this vulnerability within
> version 10 of Symantec Client Security as of this writing. Previous
> versions, as well as relating products, which contain the
> NAVENG.SYS and
> NAVEX15.SYS drivers are suspected to be vulnerable as well.
>
> V. WORKAROUND
>
> iDefense is currently unaware of any effective workaround for this
> issue.
>
> VI. VENDOR RESPONSE
>
> Symantec has released updated device drivers via LiveUpdate. More
> information regarding this issue can be found in Symantec's advisory,
> SYM06-020. You can find their advisory at the following link:
>
>
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CVE-2006-4927 to this issue. This is a candidate for inclusion in
> the CVE list (), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 09/19/2006 Initial vendor notification
> 09/19/2006 Initial vendor response
> 10/05/2006 Coordinated public disclosure
>
> IX. CREDIT
>
> This vulnerability was reported to iDefense by Rub?n Santamarta of
> reversemode.com.
>
> Get paid for vulnerability research
>
>
> Free tools, research and upcoming events
>
>
> X. LEGAL NOTICES
>
> Copyright ¿ 2006 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than
> electronically, please
> email customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any
> direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
>
>
> _______________________________________________
> To unsubscribe, go here:
>
>
