Network Security: Detailed info on [NEWS] Symantec Norton AntiVirus Multiple Local Privilege Escalation (Ma

Subject:	[NEWS] Symantec Norton AntiVirus Multiple Local Privilege Escalation (MacOS)
Date:	6 Nov 2005 14:33:08 +0200

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Symantec Norton AntiVirus Multiple Local Privilege Escalation (MacOS)
------------------------------------------------------------------------


SUMMARY

" <http://www.symantec.com/nav/nav_mac/> Symantec's Norton AntiVirus for 
Macintosh is an antivirus solution for the Mac OS X environment."

Local exploitation of a design error in Symantec Norton Antivirus for 
Macintosh allows attackers to gain elevated privileges.

DETAILS

Vulnerable Systems:
 * Symantec Norton AntiVirus for Mac version 9.0.3

Immune Systems:
 * Symantec AntiVirus for Macintosh version 10

DiskMountNotify Local Privilege Escalation:
Local exploitation of a design error in the DiskMountNotify specifically 
exists in failing to specify an explicit PATH for the 
"/Library/Application Support/Norton Solutions Support/Norton 
AntiVirus/DiskMountNotify.app/Contents/MacOS/DiskMountNotify" binary.

This binary is setuid, meaning it will run with the permissions of the 
owner, and is owned by the System Administrator, which is equivalent to 
the Unix root user. A user can simply add a directory they control to the 
beginning of the PATH environment variable and DiskMountNotify will call 
'ps' or 'grep' from that directory with root level privileges.

Successful exploitation allows a local attacker to execute arbitrary 
commands as the System Administrator user. This allows complete system 
compromise including the installation and removal of applications, and 
ability to read and write any file on the system.

Workaround:
Unsetting the setuid bit from the "/Library/Application Support/Norton 
Solutions Support/Norton 
AntiVirus/DiskMountNotify.app/Contents/MacOS/DiskMountNotify" binary will 
prevent exploitation, but may prevent automatic scanning on mounting by 
non-administrator users.

Vendor Response:
The vendor has released the following advisory for this issue:  
<http://www.symantec.com/avcenter/security/Content/2005.10.19.html> 
http://www.symantec.com/avcenter/security/Content/2005.10.19.html

LiveUpdate Local Privilege Escalation:
Local exploitation of a design error in the LiveUpdate component 
specifically exists in the permissions on the "/Library/Application 
Support/Norton Solutions Support/LiveUpdate/jlucaller" binary which 
appears to be a Java interpreter. This binary is setuid, meaning it will 
run with the permissions of the owner, and is owned by the System 
Administrator, which is equivalent to the Unix root user. A user can 
simply compile a Java program and provide it as an argument to this 
binary, and it will execute with root level privileges.

Successful exploitation allows a local attacker to execute arbitrary 
commands as the System Administrator user. This allows complete system 
compromise including the installation and removal of applications, and 
ability to read and write any file on the system.

Workaround:
Unsetting the setuid bit from the "/Library/Application Support/Norton 
Solutions Support/LiveUpdate/jlucaller" binary will prevent exploitation, 
but may require that updates be performed as the System Administrator 
user.

chmod -s "/Library/Application Support/Norton Solutions 
Support/LiveUpdate/jlucaller"

Vendor Response:
The vendor has released the following advisory for this issue:  
<http://www.symantec.com/avcenter/security/Content/2005.10.19a.html> 
http://www.symantec.com/avcenter/security/Content/2005.10.19a.html

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2759 > 
CAN-2005-2759 

Disclosure Timeline:
08/31/2005 - Initial vendor notification
08/31/2005 - Initial vendor response
10/20/2005 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:idlabs-advisories@lists.idefense.com> iDEFENSE Labs.
The original article can be found at:  
<http://www.idefense.com/application/poi/display?id=324&type=vulnerabilities> 
http://www.idefense.com/application/poi/display?id=324&type=vulnerabilities,
 
<http://www.idefense.com/application/poi/display?id=325&type=vulnerabilities> 
http://www.idefense.com/application/poi/display?id=325&type=vulnerabilities



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.

<Prev in Thread]	Current Thread	[Next in Thread>
[NEWS] Symantec Norton AntiVirus Multiple Local Privilege Escalation (MacOS), SecuriTeam <=

Previous by Date:	[UNIX] Clam Antivirus Code Execution Vulnerability, SecuriTeam
Next by Date:	[NEWS] FlatFrag Multiple Buffer Overflow and DoS, SecuriTeam
Previous by Thread:	[UNIX] Clam Antivirus Code Execution Vulnerability, SecuriTeam
Next by Thread:	[NEWS] FlatFrag Multiple Buffer Overflow and DoS, SecuriTeam
Indexes:	[Date] [Thread] [Top] [All Lists]