RE: DH team: Norton Antivirus Corporate Edition Privilege Escalation, http://online.securityfocus.com/archive/1/296979/2002-10-22/2002-10-28/0

["Sym Security" <symsecurity () symantec com>]

-On Oct 24 2002 10:39 AM, 3APA3A <3APA3A () SECURITY NNOV RU> posted:

Dear Bugtraq,

  Product: Norton Antivirus Corporate Edition (Final 7.60.962)
  Vendor: Symantec
  Type: Local
  Risk: High (system privileges)
  Discovered: ERRor <error () pochtamt ru> of Domain HELL Team

  Description:

  Norton Antivirus allows to run winhlp32 in context of local system.
-----------------------------snip------------------------------------------------

Symantec Security Response Advisory

15 Oct 2002
Symantec Norton AntiVirus Corporate Edition 7.x Help File Elevation of
Privilege

Risk Impact
High for client systems

Overview
The Symantec Norton AntiVirus Corporate Edition client help function uses
winhlp32, the Windows Help interface to provide help support to the client
user.  There is a vulnerability in the interface process that allow
winhlp32 to assume privileges based on Norton AntiVirus Corporate Edition
privileges rather those normally assigned to the winhlp32 interface.  Since
Norton AntiVirus Corporate Edition runs with SYSTEM privileges, the client
user can manipulate the help function to access files on the local system
with administrative privileges.

Affected Components
Symantec Norton AntiVirus Corporate Edition prior to 7.5.1 build 62
Symantec Norton AntiVirus Corporate Edition prior to 7.6.1 build 35a

* * *
Details
Symantec became aware of an issue with the functionality of the Symantec
Norton AntiVirus Corporate Edition GUI help interface that allows a client
user to gain privileged access to files or functionality on the local
system. When a user accesses the user interface GUI on the Norton AntiVirus
Corporate Edition client, e.g., when doing a scan, either manual or
scheduled; reviewing history, during real-time protection alerts, etc.; the
user can request help by way of the help button in the GUI toolbar.  Norton
AntiVirus Corporate Edition help functionality was implemented with an
interface to winhlp32, the built-in operating system help function.  This
interface was made to provide the user with a common interface that the
user understands, is use to, and is able to implement quickly and easily.

However, there is a weakness in the way the interface was made that permits
the winhlp32 functionality to assume permissions from Norton AntiVirus
Corporate Edition, which by necessity runs with SYSTEM privileges, rather
than retaining the limited user privileges normally assigned to the logged
in user.  By manipulating the winhlp32 interface the local user gains the
ability to search all system files, assume full permission for all
directories and files on the client system, or even add themselves to the
administrative group on the local system.

Symantec Response

Symantec has verified that this vulnerability does exist in client
applications of earlier versions of Symantec Norton AntiVirus Corporate
Edition.  This vulnerability has been eliminated in current versions of
Symantec Norton AntiVirus Corporate Edition, version 7.5.1 Build 62 and
later as well as version 7.6.1 Build 35a and later that are available for
download.

While this has potential to be a serious vulnerability, there are
mitigating circumstances that greatly reduce the risk of intentional or
inadvertent use of this weakness in Symantec Norton AntiVirus Corporate
Edition.
* The user must have a user account on the targeted system and be logged on
interactively to exploit this weakness.
* This weakness cannot be exploited remotely.
* System privileges can only be gained on the local system, which normally
limits the impact to the client user system.
* Access to domain controllers / administrator systems would normally be
restricted to trusted Administrators only with restricted access to the
physical system.

Symantec strongly recommends all users of Symantec Norton AntiVirus
Corporate Edition upgrade to the latest version release to prevent
potential misuse of this weakness. Please see immediately below for
instructions on upgrading:

Platinum customers
New build downloads and product information are available on the Platinum
Web site.
Gold customers
Information to download current builds (updates) will be provided only when
the build is known to fix an issue that the customer is experiencing.
Please have your customer ID and upgrade insurance information readily
available when contacting technical support at the following number:
1-800-927-4017. Software upgrades are available only through Upgrade
Insurance shipments.
Customers without Gold or Platinum support
Please contact 1-800-927-4017 to determine if you qualify. You may still
qualify for an update if verification can be made that the newer build will
solve a problem on your computer.

Credit
Symantec takes the security and proper functionality of its products very
seriously. Symantec appreciates the efforts of Harry Johnson, technical
support group, Waikato University, New Zealand in identifying and providing
technical details of this issue. Symantec further appreciates the efforts
of ERRor <error () pochtamt ru> of Domain HELL Team for additional
identification of this issue.

Anyone with information on security issues with Symantec products should
contact symsecurity () symantec com The Sym Security PGP key can be downloaded
from
http://securityresponse.symantec.com/avcenter/security/publickey/SymSecurity.asc
.

Copyright (c) 2002 by Symantec Corp.
Permission to redistribute this Advisory electronically is granted as long
as it is not edited in any way unless authorized by Symantec Security
Response. Reprinting the whole or part of this Advisory in a medium other
than electronically requires permission from symsecurity () symantec com.

Disclaimer:
The information in the advisory is believed to be accurate at the time of
printing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or consequential
loss or damage arising from use of, or reliance on this information.

Symantec, Symantec Security Response, Symantec product names and Sym
Security are Registered Trademarks of Symantec Corp. and/or affiliated
companies in the United States and other countries. All other registered
and unregistered trademarks represented in this document are the sole
property of their respective companies/owners.