SYM07-018 Symantec SYMTDI.SYS Device Driver Local Elevation of Privilege

Article:TECH102210  |  Created: 2007-01-11  |  Updated: 2012-01-30  |  Article URL http://www.symantec.com/docs/TECH102210
Article Type
Technical Solution


Environment

Issue



You use Symantec AntiVirus or Symantec Client Security and want to know more about the SYM07-018 Symantec Client Security Internet E-mail AutoProtect vulnerability.


Error




Environment




Cause




Solution



An issue has been identified in some versions of Symantec's device driver SYMTDI.SYS which, if successfully exploited, could allow a local attacker to execute arbitrary code with system level privileges.

For additional information on the SYM07-018 vulnerability, read the Symantec Security Response SYM07-018 Security Advisory.


Mitigation

  • Upgrade to an unaffected build of Symantec AntiVirus or Symantec Client Security.
  • Use the SymNetDrvUpdater.exe to upgrade to an unaffected version of SYMTDI.SYS. This tool should not be used is you are planning on migrating to a version of Symantec Client Security 3.1 MR6, Symantec AntiVirus 10.1 MR6 or earlier.


Symantec has created fixed versions of Symantec AntiVirus and Symantec Client Security. The solution paths from each version of Symantec AntiVirus and Symantec Client Security are as follows:

Product Affected Version Solution
Symantec AntiVirus Corporate Edition 9.x, all builds prior to the solution Symantec AntiVirus 9 MR6-MP1 or later
10.0 Symantec AntiVirus 10.1 MR6 or later
10.1
Symantec Client Security 2.x, all builds prior to the solution Symantec Client Security 2 MR6-MP1 or later
3.0 Symantec Client Security 3.1 MR6 or later
3.1



The version of SYMTDI.SYS for Symantec AntiVirus 10.1 MR6 or Symantec Client Security 3.1 MR6 should be 6.0.5.506 or later.
The version of SYMTDI.SYS for Symantec AntiVirus 9 MR6-MP1 or Symantec Client Security 2 MR6-MP1 should be 5.5.6.604 or later.

To obtain the latest release, read the document How to obtain an update or an upgrade for your Symantec corporate product.

Some upgrade paths require migrating to Symantec Client Security 3.1 or Symantec AntiVirus 10.1. To obtain these products, read the document How to obtain an update or an upgrade for your Symantec corporate product. For instructions on how to migrate to those versions, read one of the following documents:

Migrating to Symantec Client Security 3.1
Migrating to Symantec Client Security 3.1 Small Business Edition
Migrating to Symantec AntiVirus 10.1 Corporate Edition
Migrating to Symantec AntiVirus 10.1 Small Business Edition

For information on upgrading to 9.0 MR6 MP1, read Applying Symantec Client Security 2.0 and Symantec AntiVirus 9.0 Maintenance Release 6 Maintenance Patch 1.

Localized versions of the updated builds of Symantec Client Security and Symantec AntiVirus are available.

Use the SymNetDrvUpdater tool

Symantec has created a tool for updating SYMTDI.SYS on versions of Symantec AntiVirus 10.0.2, Symantec Client Security 3.0.2 and later.
The tool will not update Symantec AntiVirus 10.1.6 or Symantec Client Security 3.1.6 and newer versions as they are not affected by the sym07-018 vulnerability.
Versions prior to Symantec AntiVirus 10.0.2 and Symantec Client Security 3.0.2 should be updated to a non-vulnerable release of the product.
This tool should not be used is you are planning on migrating to a version of Symantec Client Security 3.1 MR6, Symantec AntiVirus 10.1 MR6 or earlier.


The tool can be downloaded from:

ftp.symantec.com/public/english_us_canada/products/symantec_client_security/3.1/updates/SymNetDrvUpdater.zip


Command Line options

Option Effect
/log Creates a log file called SymNetDrvUpdater.log in the user temp variable (%tmp%)
/promptforcereboot Forces a reboot with a message displayed to the user
/silentreboot Forces a silent reboot
/promptoptionalreboot User is given a choice to reboot now or later
/visible Dialog box is displayed with a button to "Update SymNetDrv Binaries"




Functionality of the SymNetDrvUpdater.exe tool

The SymNetDrvUpdater.exe application runs in silent mode by default.

  1. When you run the tool it gets the Symantec AntiVirus or Client Security version, if the version is greater than AntiVirus 10.0.2 or Client Security 3.0.2 the tool continues.
  2. It replaces only the files that are already present on the system
  3. The files are replaced on reboot. So the file versions will not change until a system reboot is completed
  4. Use the /log command line option to create the log file SymNetDrvUpdater.log under the users temp directory (%TMP%).



The tool replaces the following files:

  • Default.rul
  • SNDInst.exe
  • SNDSrvc.exe
  • SNDunin.dll
  • Validate.dat
  • Snd.grd
  • Snd.sig
  • Snd.spm
  • SymNeti.dll
  • SymRedir.dll
  • symdns.sys
  • symfw.sys
  • symids.sys
  • symndis.sys
  • SymRedir.cat
  • SymRedir.inf
  • symredrv.sys
  • symtdi.sys






Supplemental Materials

Description


Legacy ID



2007071115121848


Article URL http://www.symantec.com/docs/TECH102210


Terms of use for this information are found in Legal Notices