SYM07-028: Symantec AntiVirus for Macintosh and Norton AntiVirus for Macintosh Local Elevation of Privilege vulnerability

Article:TECH103961  |  Created: 2008-01-15  |  Updated: 2011-11-16  |  Article URL http://www.symantec.com/docs/TECH103961
Article Type
Technical Solution


Environment

Issue



A feature of Symantec AntiVirus for Macintosh and Norton AntiVirus for Macintosh could be used by members of the group admin to execute code as the root user (uid 0) on the local system.

An executable used by the Mount Scan feature of Symantec AntiVirus for Macintosh and Norton AntiVirus for Macintosh runs with root access. A member of group admin could replace this executable with code of their choice, and gain user root access.


Symptoms
Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue.


 


Cause



The folder /Library/Application Support has group ownership admin (gid 80). The folder is also group-writable, so programs launched by users with admin privileges can rename folders with /Library/Application Support without explicitly alerting the user. This could potentially be used to spoof the Disk Mount scanner into launching an arbitrary executable when a disk is inserted.


Solution



This vulnerability has been fixed in Symantec AntiVirus for Macintosh version 10.2, Norton AntiVirus for Macintosh 11.0, and later.

The following workarounds are only for customers still running older versions of Symantec AntiVirus for Macintosh or Norton AntiVirus for Macintosh:

  • Disable Mount Scanning, or configure Mount Scanning to run without showing progress.
  • Symantec has made available a "SymProtector" kernel extension that will serve to protect Symantec support folders on your computer from being renamed or deleted unless the user doing so is already running with root privilege. ftp://ftp.symantec.com/misc/tools/mactools/SymProtector.zip




Technical Information
For more information on the SYM07-028 vulnerability, read the Symantec Security Response SYM07-028 Security Advisory.


 



Legacy ID



2008021511052348


Article URL http://www.symantec.com/docs/TECH103961


Terms of use for this information are found in Legal Notices