WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
SYM07-028
November 1, 2007
Symantec AntiVirus for Macintosh and Norton AntiVirus for Macintosh Local Elevation of Privilege

Revision History
Nov 5 2007 CVE identifier added Feb 27 2008 Kernel extension information added and Unaffected Products table updated

Risk Impact
Low

Remote AccessNo
Local AccessYes
Authentication RequiredYes
Exploit availableNo

Overview
A feature of Symantec AntiVirus for Macintosh and Norton AntiVirus for Macintosh could be used by members of the group admin to execute code as the root user (uid 0) on the local system.

Affected Products
ProductVersionSolution
Norton AntiVirus for Macintosh9.x-10.xDisable "Show Progress During Mount Scans" in the Mount Scan tab of Auto-Protect System preferences.
Norton Internet Security for Macintosh3.xDisable "Show Progress During Mount Scans" in the Mount Scan tab of Auto-Protect System preferences.
Symantec AntiVirus for Macintosh10.0Disable "Show Progress During Mount Scans" in the Mount Scan tab of Auto-Protect System preferences.
Symantec AntiVirus for Macintosh 10.1Disable "Show Progress During Mount Scans" in the Mount Scan tab of Auto-Protect System preferences.


Unaffected Products
ProductVersion
Norton Personal Firewall for Macall
Norton Confidential for Macall
Norton AntiVirus for Macintosh11.0 and later
Symantec AntiVirus for Macintosh10.2 and later


Note: This vulnerability exists only in products running on the Macintosh platform. It does not exist in products running on Linux or Microsoft Windows.

Details
An executable used by the Mount Scan feature of Symantec AntiVirus for Macintosh and Norton AntiVirus for Macintosh runs with root access. A member of group admin could replace this executable with code of their choice, and gain user root access.

The folder /Library/Application Support has group ownership admin (gid 80). The folder is also group-writable, so programs launched by users with admin privileges can rename folders with /Library/Application Support without explicitly alerting the user. This could potentially be used to spoof the Disk Mount scanner into launching an arbitrary executable when a disk is inserted.

Symantec Response
Symantec engineers have verified that this issue exists in the products listed above. However, any potential attempt to exploit the issue will fail if Mount Scanning is disabled, or if Mount Scanning is configured to run without showing progress.

Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue.

Symantec has released updated, non-vulnerable versions of the products impacted by this vulnerability.

Customers who have not updated to a non-vulnerable version can download and apply a kernel extension which will prevent Symantec folders from being renamed or deleted by a user who does not already have root privilege. For additional information on this option, please see the following knowledgebase articles:

Norton Antivirus for Macintosh users:http://service1.symantec.com/SUPPORT/num.nsf/docid/2008022610250611

Symantec AntiVirus for Macintosh users:http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008021511052348

Mitigation
Customers who have not updated to a non-vulnerable version or applied the application extension have the following options:
Disable "Show Progress During Mount Scans" in the Mount Scan tab of Auto-Protect System preferences.

An alternative mitigation is to set the sticky bit on the folder /Library/Application Support. The sticky bit may become unset if Apple’s Disk Utility is used at some later time to repair permissions on the drive. The sticky bit may be set by issuing the following command in a terminal window (note the quotes), and entering an admin password at the resulting prompt:

sudo /bin/chmod +t "Library/Application Support"

Best Practices
Symantec recommends any affected customers apply one of the mitigation steps to protect against potential attempts to exploit this issue. As part of normal best practices, Symantec recommends the following:

  • Run under the principle of least privilege to limit the impact of potential exploits.
  • Restrict access to computer systems to trusted users only.
  • Keep all operating systems and applications updated with the latest vendor patches.
  • Follow a multi-layered approach to security. Run both firewall and antivirus software to provide multiple points of detection and protection from inbound and outbound threats.

Credit
Symantec would like to thank William Carrel for reporting this issue.

References
This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. CVE-2007-5829 has been assigned to this exposure.

SecurityFocus has assigned BID 26253 to this vulnerability.


Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).

Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the end of this message.

Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

Symantec-Product-Vulnerability-Response Symantec Vulnerability Response Policy Symantec Product Vulnerability Management PGP Key Symantec Product Vulnerability Management PGP Key


Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.


Last modified on: Wednesday, 27-Feb-08 22:43:46