Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Security App Flaws :: nav5776.htm

Norton Antivirus permits local privilege escalation (I.e : getadmin)
24th Oct 2002 [SBWID-5776]

	Norton Antivirus permits local priviledge escalation (I.e : getadmin)


	 Norton Antivirus 7.5 - 7.6

	 Norton Corporate Antivirus 7.5 - 7.6




	        { , . }     |\

	+--oQQo->{ ^ }<-----+ \  In 3APA3A Advisory

	|  ZARAZA  U  3APA3A   }

	+-------------o66o--+ /




	This issue was discovered by ERRor []  of  Domain  Hell
	Team :

	 Norton Antivirus adds "Scan for Viruses..." item to Explorer's context

	 menu.  Application  launched if this item is selected has local system

	 context.  Application has "Help" button which allows to start winhlp32

	 in  context of Local System. winhlp32 allows user to execute code with

	 credentials of this application.



	 Editor's note



	Try this :

	 1. Launch explorer, right click on a file, scan for viruses

	 2. On the Norton Antivirus panel, click on the help button

	 3. In the help menu, choose "File->Open", RIGHT-CLICK on a help file and

	    select "Open with ..." : "notepad"

	 4. In notepad you have just started run "File->Open", choose "All files"

	    in "Files of type", select \winnt\system32\cmd.exe, RIGHT-CLICK and choose


	 5. Now you have a running command prompt with LocalSystem rights, you may

	    try such things as : "net localgroup Administrators /add <your-user-name>"    



	This is a pretty explicit case of a bad "Messaging Screen DACL" such  as
	desribed by Foon [], see :



	 This vulnerability has been eliminated in current versions of Symantec

	 Norton  AntiVirus  Corporate Edition, version 7.5.1 Build 62 and later

	 as  well  as  version 7.6.1 Build 35a and later that are available for


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH