Symantec Norton AntiVirus Device Driver Privilege Escalation - Secunia Advisories - Vulnerability Intelligence

Symantec Norton AntiVirus Device Driver Privilege Escalation
Secunia Advisory:	SA9460	Advisory Toolbox: Issue ticket Save in to-do list Mark as handled Exploit information Download as PDF Review actions Add comment
Release Date:	2003-08-06
Popularity:	9,955 views

Critical:	Less critical
Impact:	Privilege escalation DoS
Where:	Local system
Solution Status:	Unpatched

Software:	Symantec Norton AntiVirus 2002

Subscribe:	Instant alerts on relevant vulnerabilities

Description: A vulnerability has been reported in Symantec Norton AntiVirus, which can be exploited by malicious, local users to escalate their privileges on a vulnerable system or cause it to crash. The vulnerability is caused due to an error in the Norton AntiVirus Device Driver ("NAVAP.sys"). This can be exploited by sending two specially crafted control codes using the "DeviceIoControl()" function, which request the device driver to perform certain operations. The first control code will supply specially crafted input to the requested operation via the "lpInBuffer", which then returns output to the memory location specified by the "lpOutBuffer". The memory contents in this location can then be changed to include arbitrary shellcode. Afterwards, the second control code can manipulate the drivers return address making it jump to the memory location previously specified by the "lpOutBuffer". Successful exploitation either crashes the system or allows execution of arbitrary code with Kernel Mode (Ring 0) privileges. The vulnerability has been reported in version 2002. However, other versions are possibly also affected. Solution: Grant only trusted users access to affected systems. Provided and/or discovered by: Lord YuP Original Advisory: http://sec-labs.hack.pl/papers/win32ddc.php

Track this Secunia Advisory
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released. Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.

About this Secunia Advisory
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

Latest Advisories

2nd Dec, 2008

New advisories:	14
New vulnerabilities:	21
Updated advisories:	26

Less // 402 views

Linksys WRT160N Cross-Site Scripting Vulnerability

Less // 386 views

IBM Rational ClearQuest Multiple Vulnerabilities

Not // 308 views

Debian update for flamethrower

Not // 297 views

flamethrower Insecure Temporary Files

Less // 356 views

IBM Rational ClearCase Cross-Site Scripting Vulnerability

Not // 344 views

DAHDI "ZT_SPANCONFIG" IOCTL Privilege Escalation Vulnerability

Not // 338 views

Zaptel "ZT_SPANCONFIG" IOCTL Privilege Escalation Vulnerabilities

Moderately // 325 views

Rumpus Multiple Vulnerabilities

Less // 344 views

bcoos "cid" SQL Injection Vulnerability

Moderately // 358 views

ASP Portal "ASPPortal.mdb" Database Disclosure Security Issue

Solutions | More...

Send Feedback to Secunia
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com. Ideas, suggestions, and other feedback are most welcome.