[Full-disclosure] Norton Insufficient validation of 'SymTDI' driver input buffer

Hello,

We would like to inform you about a vulnerability in Symantec Norton products.


Description:

Norton insufficiently protects its driver \Device\SymEvent against a manipulation by malicious applications and it fails
to validate its input buffer. It is possible to open this driver and send arbitrary data to it, which are implicitly
believed to be valid. It is possible to assemble the data in the input buffer such that the driver performs an invalid
memory operation and crashes the whole operating system. Further impacts of this bug (like possibility of arbitrary code
execution in the kernel mode) were not examined.


Vulnerable software:

* Norton Personal Firewall 2006 version 9.1.1.7
* Norton Personal Firewall 2006 version 9.1.0.33
* probably all versions of Norton Personal Firewall 2006, Norton Internet Security 2006 and other products that use
SymTDI driver
* possibly older versions of Norton Personal Firewall and Norton Internet Security


More details and a proof of concept including its source code are available here:
http://www.matousec.com/info/advisories/Norton-Insufficient-validation-of-SymTDI-driver-input-buffer.php


Regards,

--
Matousec - Transparent security Research
http://www.matousec.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • HP pavilion preloaded spyware is sticky...
    ... For a month I have been trying to deal with the trial-ware it comes with and the 135 trusted modules grabbing internet access....WTF does my keyboard driver need internet access for? ... I notice the trial version of Norton I-net suite disallows me to remove the trusted pre-installed programs from HP! ... It started two years ago with a 7150 printer driver that was integrated with phonehome 'no opt out' code. ... Tech supt finally conceded it was so entrained it would not work without the phonehome module and offred my money back saying "future printers would not have drivers integrated with connectivity modules.....two years later and is far worse. ...
    (comp.security.misc)
  • How can I disable HP preloaded datamining?
    ... For a month I have been trying to deal with the trial-ware it comes with and the 135 trusted modules grabbing internet access....WTF does my keyboard driver need internet access for? ... I notice the trial version of Norton I-net suite disallows me to remove the trusted pre-installed programs from HP! ... It started two years ago with a 7150 printer driver that was integrated with phonehome 'no opt out' code. ... Tech supt finally conceded it was so entrained it would not work without the phonehome module and offered my money back saying "future printers would not have drivers integrated with connectivity modules.....two years later and is far worse. ...
    (alt.computer.security)
  • Re: Fatal System Error / stop Error
    ... If you want to rid your pc of Norton, ... I have the data, via Safe Mode operation, but can't do a new ... >>> Oh and I can't uninstall any apps such as the printer driver or Norton ... No NAV near my machines again! ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: waiting ....
    ... >>> new NVIDIA graphics driver). ... >> Norton one on., but I've now got ZA reinstalled. ... You want to install just the drivers, ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Blue screen on HP AMD laptop with antivirus: camc6hal.sys
    ... embedded in the driver name, that perhaps that driver was related to the ... As far as the virus scanning, I actually did a virus scan with both Norton ... long as you don't reboot, it's not a problem; although with a laptop one may ... Knowledge base show nothing. ...
    (microsoft.public.windowsxp.help_and_support)