|
|
|
|
| |
"Symantec's Norton AntiVirus for Macintosh is an antivirus solution for the Mac OS X environment."
Local exploitation of a design error in Symantec Norton Antivirus for Macintosh allows attackers to gain elevated privileges. |
| |
Credit:
The information has been provided by iDEFENSE Labs.
The original article can be found at: http://www.idefense.com/application/poi/display?id=324&type=vulnerabilities,
http://www.idefense.com/application/poi/display?id=325&type=vulnerabilities
|
| |
Vulnerable Systems:
* Symantec Norton AntiVirus for Mac version 9.0.3
Immune Systems:
* Symantec AntiVirus for Macintosh version 10
DiskMountNotify Local Privilege Escalation:
Local exploitation of a design error in the DiskMountNotify specifically exists in failing to specify an explicit PATH for the "/Library/Application Support/Norton Solutions Support/Norton AntiVirus/DiskMountNotify.app/Contents/MacOS/DiskMountNotify" binary.
This binary is setuid, meaning it will run with the permissions of the owner, and is owned by the System Administrator, which is equivalent to the Unix root user. A user can simply add a directory they control to the beginning of the PATH environment variable and DiskMountNotify will call 'ps' or 'grep' from that directory with root level privileges.
Successful exploitation allows a local attacker to execute arbitrary commands as the System Administrator user. This allows complete system compromise including the installation and removal of applications, and ability to read and write any file on the system.
Workaround:
Unsetting the setuid bit from the "/Library/Application Support/Norton Solutions Support/Norton AntiVirus/DiskMountNotify.app/Contents/MacOS/DiskMountNotify" binary will prevent exploitation, but may prevent automatic scanning on mounting by non-administrator users.
Vendor Response:
The vendor has released the following advisory for this issue: http://www.symantec.com/avcenter/security/Content/2005.10.19.html
LiveUpdate Local Privilege Escalation:
Local exploitation of a design error in the LiveUpdate component specifically exists in the permissions on the "/Library/Application Support/Norton Solutions Support/LiveUpdate/jlucaller" binary which appears to be a Java interpreter. This binary is setuid, meaning it will run with the permissions of the owner, and is owned by the System Administrator, which is equivalent to the Unix root user. A user can simply compile a Java program and provide it as an argument to this binary, and it will execute with root level privileges.
Successful exploitation allows a local attacker to execute arbitrary commands as the System Administrator user. This allows complete system compromise including the installation and removal of applications, and ability to read and write any file on the system.
Workaround:
Unsetting the setuid bit from the "/Library/Application Support/Norton Solutions Support/LiveUpdate/jlucaller" binary will prevent exploitation, but may require that updates be performed as the System Administrator user.
chmod -s "/Library/Application Support/Norton Solutions Support/LiveUpdate/jlucaller"
Vendor Response:
The vendor has released the following advisory for this issue: http://www.symantec.com/avcenter/security/Content/2005.10.19a.html
CVE Information:
CAN-2005-2759
Disclosure Timeline:
08/31/2005 - Initial vendor notification
08/31/2005 - Initial vendor response
10/20/2005 - Coordinated public disclosure
|
|
|
|
|
|
|
|
|
|
