lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <452581BE.3020002@reversemode.com>
Date: Fri, 06 Oct 2006 00:05:50 +0200
From: Reversemode <advisories@...ersemode.com>
To: Securityfocus <bugtraq@...urityfocus.com>
Subject: [Reversemode Advisory] Symantec Antivirus Engine Privilege Escalation



Symantec Antivirus Engine is prone to a local privilege escalation
vulnerability.

Two Device Drivers are affected:  NAVEX15.sys, NAVENG.sys.

NAVEX15.sys

#LOW CONSTANT VALUE

PAGE:0004B611                 sub     edx, 222AD3h
PAGE:0004B617                 push    esi
PAGE:0004B618                 jz      short loc_4B63C

loc_4B63C:
                              	          mov     edx, [ecx+3Ch]
PAGE:0004B63F                 test    edx, edx
PAGE:0004B641                 jz      short loc_4B653
PAGE:0004B643                 push    4
PAGE:0004B645                 pop     esi
PAGE:0004B646                 cmp     [eax+4], esi
PAGE:0004B649                 jnz     short loc_4B653
PAGE:0004B64B                 mov     dword ptr [edx], 200h  // No check

EDX= controlled.

#HIGH CONSTANT VALUE

PAGE:0004B61A                   push    4
PAGE:0004B61C                   pop     esi
PAGE:0004B61D                   sub     edx, esi
PAGE:0004B61F                   jnz     short loc_4B653
PAGE:0004B621                   mov     edx, [ecx+3Ch]
PAGE:0004B624                   test    edx, edx
PAGE:0004B626                   jz      short loc_4B653
PAGE:0004B628                   cmp     [eax+4], esi
PAGE:0004B62B                   jnz     short loc_4B653
PAGE:0004B62D                   mov     dword ptr [edx], offset
sub_4B71B //No Check

EDX= controlled.

Attack vectors:
Symantec and Norton-antivirus products for Microsoft Platforms.

Exploits:
I have decided to release public exploit code for these flaws, in order
to show that every kernel memory overwritting can be exploited, even if
we are not controlling the values.

Six exploits, based on these flaws, are available for download at
www.reversemode.com



References:
http://securityresponse.symantec.com/avcenter/security/Content/2006.10.05a.html
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=417


Regards,
Rubén Santamarta.

----
www.reversemode.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ