[NEWS] Symantec Norton AntiVirus Multiple Local Privilege Escalation (MacOS)

From: SecuriTeam (support_at_securiteam.com)
Date: 11/06/05

  • Next message: SecuriTeam: "[NEWS] FlatFrag Multiple Buffer Overflow and DoS"
    To: list@securiteam.com
    Date: 6 Nov 2005 14:33:08 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Symantec Norton AntiVirus Multiple Local Privilege Escalation (MacOS)
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.symantec.com/nav/nav_mac/> Symantec's Norton AntiVirus for
    Macintosh is an antivirus solution for the Mac OS X environment."

    Local exploitation of a design error in Symantec Norton Antivirus for
    Macintosh allows attackers to gain elevated privileges.

    DETAILS

    Vulnerable Systems:
     * Symantec Norton AntiVirus for Mac version 9.0.3

    Immune Systems:
     * Symantec AntiVirus for Macintosh version 10

    DiskMountNotify Local Privilege Escalation:
    Local exploitation of a design error in the DiskMountNotify specifically
    exists in failing to specify an explicit PATH for the
    "/Library/Application Support/Norton Solutions Support/Norton
    AntiVirus/DiskMountNotify.app/Contents/MacOS/DiskMountNotify" binary.

    This binary is setuid, meaning it will run with the permissions of the
    owner, and is owned by the System Administrator, which is equivalent to
    the Unix root user. A user can simply add a directory they control to the
    beginning of the PATH environment variable and DiskMountNotify will call
    'ps' or 'grep' from that directory with root level privileges.

    Successful exploitation allows a local attacker to execute arbitrary
    commands as the System Administrator user. This allows complete system
    compromise including the installation and removal of applications, and
    ability to read and write any file on the system.

    Workaround:
    Unsetting the setuid bit from the "/Library/Application Support/Norton
    Solutions Support/Norton
    AntiVirus/DiskMountNotify.app/Contents/MacOS/DiskMountNotify" binary will
    prevent exploitation, but may prevent automatic scanning on mounting by
    non-administrator users.

    Vendor Response:
    The vendor has released the following advisory for this issue:
    <http://www.symantec.com/avcenter/security/Content/2005.10.19.html>
    http://www.symantec.com/avcenter/security/Content/2005.10.19.html

    LiveUpdate Local Privilege Escalation:
    Local exploitation of a design error in the LiveUpdate component
    specifically exists in the permissions on the "/Library/Application
    Support/Norton Solutions Support/LiveUpdate/jlucaller" binary which
    appears to be a Java interpreter. This binary is setuid, meaning it will
    run with the permissions of the owner, and is owned by the System
    Administrator, which is equivalent to the Unix root user. A user can
    simply compile a Java program and provide it as an argument to this
    binary, and it will execute with root level privileges.

    Successful exploitation allows a local attacker to execute arbitrary
    commands as the System Administrator user. This allows complete system
    compromise including the installation and removal of applications, and
    ability to read and write any file on the system.

    Workaround:
    Unsetting the setuid bit from the "/Library/Application Support/Norton
    Solutions Support/LiveUpdate/jlucaller" binary will prevent exploitation,
    but may require that updates be performed as the System Administrator
    user.

    chmod -s "/Library/Application Support/Norton Solutions
    Support/LiveUpdate/jlucaller"

    Vendor Response:
    The vendor has released the following advisory for this issue:
    <http://www.symantec.com/avcenter/security/Content/2005.10.19a.html>
    http://www.symantec.com/avcenter/security/Content/2005.10.19a.html

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2759 >
    CAN-2005-2759

    Disclosure Timeline:
    08/31/2005 - Initial vendor notification
    08/31/2005 - Initial vendor response
    10/20/2005 - Coordinated public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:idlabs-advisories@lists.idefense.com> iDEFENSE Labs.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=324&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=324&type=vulnerabilities,
     
    <http://www.idefense.com/application/poi/display?id=325&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=325&type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] FlatFrag Multiple Buffer Overflow and DoS"

    Relevant Pages

    • [UNIX] Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Vulnerability ... Exploitation of this vulnerability results in the execution of arbitrary ... 07/17/2007 - Initial vendor response ...
      (Securiteam)
    • [UNIX] Jetbox Multiple Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... a user's browser session in context of an affected site. ... exploited to execute arbitrary HTML and script code in a user's browser ... Successful exploitation may lead to execution of arbitrary PHP code by ...
      (Securiteam)
    • [NT] Microsoft Internet Explorer ART File Heap Corruption
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Internet Explorer ART File Heap Corruption ... Remote exploitation of a heap corruption vulnerability in Microsoft ...
      (Securiteam)
    • [UNIX] Joomla BSQ Sitestats Component Multiple Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Secunia Research has discovered some vulnerabilities in the BSQ ... SQL query. ... Successful exploitation requires that "register_globals" is enabled. ...
      (Securiteam)
    • [UNIX] ADOdb SQL Injection and PHP Code Execution Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ADOdb SQL Injection and PHP Code Execution Vulnerabilities ... test script. ... Successful exploitation requires that the affected script is placed ...
      (Securiteam)