0
Symantec und Norton AV-Loesungen anfaellig fuer Privilegeskalation
Flaw betrifft die Treiber NAVEX15.sys und NAVEG.sys
OS: Windows
Hallo Allerseits!
Wer AV-Loesungen von Symantec und Norton unter Windows einsetzt, sollte sich einmal folgendes vom reversemodeteam zu Gemuete fuehren.
Symantec Antivirus Engine is prone to a local privilege escalation
vulnerability.
Two Device Drivers are affected: NAVEX15.sys, NAVENG.sys.
NAVEX15.sys
#LOW CONSTANT VALUE
PAGE:0004B611 sub edx, 222AD3h
PAGE:0004B617 push esi
PAGE:0004B618 jz short loc_4B63C
loc_4B63C:
mov edx, [ecx+3Ch]
PAGE:0004B63F test edx, edx
PAGE:0004B641 jz short loc_4B653
PAGE:0004B643 push 4
PAGE:0004B645 pop esi
PAGE:0004B646 cmp [eax+4], esi
PAGE:0004B649 jnz short loc_4B653
PAGE:0004B64B mov dword ptr [edx], 200h No check
EDX= controlled.
#HIGH CONSTANT VALUE
PAGE:0004B61A push 4
PAGE:0004B61C pop esi
PAGE:0004B61D sub edx, esi
PAGE:0004B61F jnz short loc_4B653
PAGE:0004B621 mov edx, [ecx+3Ch]
PAGE:0004B624 test edx, edx
PAGE:0004B626 jz short loc_4B653
PAGE:0004B628 cmp [eax+4], esi
PAGE:0004B62B jnz short loc_4B653
PAGE:0004B62D mov dword ptr [edx], offset
sub_4B71BNo Check
EDX= controlled.
Attack vectors:
Symantec and Norton-antivirus products for Microsoft Platforms.
Exploits:
I have decided to release public exploit code for these flaws, in order
to show that every kernel memory overwritting can be exploited, even if
we are not controlling the values.
Six exploits, based on these flaws, are available for download at
www.reversemode.com
References:
http://securityresponse.symantec.com/avcenter/security/Content/2006.10. ...
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=417
[bugtrack 05.10.2006]
Exploits:
NAVEX15-222AD3, NAVEX15-222AD7, NAVEX15-222ADB
NAVENG-222AD3, NAVENG222AD7, NAVENG-222ADB
kommen im handlichen *.tar-koefferchen, download unter:
unter http://www.reversemode.com/index.php?option=com_remository&Itemid=2 ...
saludos
gnarff
Wer AV-Loesungen von Symantec und Norton unter Windows einsetzt, sollte sich einmal folgendes vom reversemodeteam zu Gemuete fuehren.
Symantec Antivirus Engine is prone to a local privilege escalation
vulnerability.
Two Device Drivers are affected: NAVEX15.sys, NAVENG.sys.
NAVEX15.sys
#LOW CONSTANT VALUE
PAGE:0004B611 sub edx, 222AD3h
PAGE:0004B617 push esi
PAGE:0004B618 jz short loc_4B63C
loc_4B63C:
mov edx, [ecx+3Ch]
PAGE:0004B63F test edx, edx
PAGE:0004B641 jz short loc_4B653
PAGE:0004B643 push 4
PAGE:0004B645 pop esi
PAGE:0004B646 cmp [eax+4], esi
PAGE:0004B649 jnz short loc_4B653
PAGE:0004B64B mov dword ptr [edx], 200h No check
EDX= controlled.
#HIGH CONSTANT VALUE
PAGE:0004B61A push 4
PAGE:0004B61C pop esi
PAGE:0004B61D sub edx, esi
PAGE:0004B61F jnz short loc_4B653
PAGE:0004B621 mov edx, [ecx+3Ch]
PAGE:0004B624 test edx, edx
PAGE:0004B626 jz short loc_4B653
PAGE:0004B628 cmp [eax+4], esi
PAGE:0004B62B jnz short loc_4B653
PAGE:0004B62D mov dword ptr [edx], offset
sub_4B71BNo Check
EDX= controlled.
Attack vectors:
Symantec and Norton-antivirus products for Microsoft Platforms.
Exploits:
I have decided to release public exploit code for these flaws, in order
to show that every kernel memory overwritting can be exploited, even if
we are not controlling the values.
Six exploits, based on these flaws, are available for download at
www.reversemode.com
References:
http://securityresponse.symantec.com/avcenter/security/Content/2006.10. ...
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=417
[bugtrack 05.10.2006]
Exploits:
NAVEX15-222AD3, NAVEX15-222AD7, NAVEX15-222ADB
NAVENG-222AD3, NAVENG222AD7, NAVENG-222ADB
kommen im handlichen *.tar-koefferchen, download unter:
unter http://www.reversemode.com/index.php?option=com_remository&Itemid=2 ...
saludos
gnarff
Share on Facebook
Share on Twitter
Share on Reddit
Share on LinkedinPlease also mark the comments that contributed to the solution of the article
Content-Key: 41655
Url: https://administrator.de/contentid/41655
Printed on: April 20, 2024 at 04:04 o'clock
