OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Sym Security (symsecurity_at_symantec.com)
Date: Fri Oct 25 2002 - 11:50:15 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -On Oct 24 2002 10:39 AM, 3APA3A <3APA3ASECURITY.NNOV.RU> posted:

    Dear Bugtraq,

      Product: Norton Antivirus Corporate Edition (Final 7.60.962)
      Vendor: Symantec
      Type: Local
      Risk: High (system privileges)
      Discovered: ERRor <errorpochtamt.ru> of Domain HELL Team

      Description:

      Norton Antivirus allows to run winhlp32 in context of local system.
    -----------------------------snip------------------------------------------------

    Symantec Security Response Advisory

    15 Oct 2002
    Symantec Norton AntiVirus Corporate Edition 7.x Help File Elevation of
    Privilege

    Risk Impact
    High for client systems

    Overview
    The Symantec Norton AntiVirus Corporate Edition client help function uses
    winhlp32, the Windows Help interface to provide help support to the client
    user. There is a vulnerability in the interface process that allow
    winhlp32 to assume privileges based on Norton AntiVirus Corporate Edition
    privileges rather those normally assigned to the winhlp32 interface. Since
    Norton AntiVirus Corporate Edition runs with SYSTEM privileges, the client
    user can manipulate the help function to access files on the local system
    with administrative privileges.

    Affected Components
    Symantec Norton AntiVirus Corporate Edition prior to 7.5.1 build 62
    Symantec Norton AntiVirus Corporate Edition prior to 7.6.1 build 35a

    * * *
    Details
    Symantec became aware of an issue with the functionality of the Symantec
    Norton AntiVirus Corporate Edition GUI help interface that allows a client
    user to gain privileged access to files or functionality on the local
    system. When a user accesses the user interface GUI on the Norton AntiVirus
    Corporate Edition client, e.g., when doing a scan, either manual or
    scheduled; reviewing history, during real-time protection alerts, etc.; the
    user can request help by way of the help button in the GUI toolbar. Norton
    AntiVirus Corporate Edition help functionality was implemented with an
    interface to winhlp32, the built-in operating system help function. This
    interface was made to provide the user with a common interface that the
    user understands, is use to, and is able to implement quickly and easily.

    However, there is a weakness in the way the interface was made that permits
    the winhlp32 functionality to assume permissions from Norton AntiVirus
    Corporate Edition, which by necessity runs with SYSTEM privileges, rather
    than retaining the limited user privileges normally assigned to the logged
    in user. By manipulating the winhlp32 interface the local user gains the
    ability to search all system files, assume full permission for all
    directories and files on the client system, or even add themselves to the
    administrative group on the local system.

    Symantec Response

    Symantec has verified that this vulnerability does exist in client
    applications of earlier versions of Symantec Norton AntiVirus Corporate
    Edition. This vulnerability has been eliminated in current versions of
    Symantec Norton AntiVirus Corporate Edition, version 7.5.1 Build 62 and
    later as well as version 7.6.1 Build 35a and later that are available for
    download.

    While this has potential to be a serious vulnerability, there are
    mitigating circumstances that greatly reduce the risk of intentional or
    inadvertent use of this weakness in Symantec Norton AntiVirus Corporate
    Edition.
    * The user must have a user account on the targeted system and be logged on
    interactively to exploit this weakness.
    * This weakness cannot be exploited remotely.
    * System privileges can only be gained on the local system, which normally
    limits the impact to the client user system.
    * Access to domain controllers / administrator systems would normally be
    restricted to trusted Administrators only with restricted access to the
    physical system.

    Symantec strongly recommends all users of Symantec Norton AntiVirus
    Corporate Edition upgrade to the latest version release to prevent
    potential misuse of this weakness. Please see immediately below for
    instructions on upgrading:

    Platinum customers
    New build downloads and product information are available on the Platinum
    Web site.
    Gold customers
    Information to download current builds (updates) will be provided only when
    the build is known to fix an issue that the customer is experiencing.
    Please have your customer ID and upgrade insurance information readily
    available when contacting technical support at the following number:
    1-800-927-4017. Software upgrades are available only through Upgrade
    Insurance shipments.
    Customers without Gold or Platinum support
    Please contact 1-800-927-4017 to determine if you qualify. You may still
    qualify for an update if verification can be made that the newer build will
    solve a problem on your computer.

    Credit
    Symantec takes the security and proper functionality of its products very
    seriously. Symantec appreciates the efforts of Harry Johnson, technical
    support group, Waikato University, New Zealand in identifying and providing
    technical details of this issue. Symantec further appreciates the efforts
    of ERRor <errorpochtamt.ru> of Domain HELL Team for additional
    identification of this issue.

    Anyone with information on security issues with Symantec products should
    contact symsecuritysymantec.com.The Sym Security PGP key can be downloaded
    from
    http://securityresponse.symantec.com/avcenter/security/publickey/SymSecurity.asc
    .

    Copyright (c) 2002 by Symantec Corp.
    Permission to redistribute this Advisory electronically is granted as long
    as it is not edited in any way unless authorized by Symantec Security
    Response. Reprinting the whole or part of this Advisory in a medium other
    than electronically requires permission from symsecuritysymantec.com.

    Disclaimer:
    The information in the advisory is believed to be accurate at the time of
    printing based on currently available information. Use of the information
    constitutes acceptance for use in an AS IS condition. There are no
    warranties with regard to this information. Neither the author nor the
    publisher accepts any liability for any direct, indirect or consequential
    loss or damage arising from use of, or reliance on this information.

    Symantec, Symantec Security Response, Symantec product names and Sym
    Security are Registered Trademarks of Symantec Corp. and/or affiliated
    companies in the United States and other countries. All other registered
    and unregistered trademarks represented in this document are the sole
    property of their respective companies/owners.