SYM07-028: Symantec AntiVirus for Macintosh and Norton AntiVirus for Macintosh Local Elevation of Privilege vulnerability
|Article:TECH103961|||||Created: 2008-01-15|||||Updated: 2011-11-16|||||Article URL http://www.symantec.com/docs/TECH103961|
A feature of Symantec AntiVirus for Macintosh and Norton AntiVirus for Macintosh could be used by members of the group admin to execute code as the root user (uid 0) on the local system.
An executable used by the Mount Scan feature of Symantec AntiVirus for Macintosh and Norton AntiVirus for Macintosh runs with root access. A member of group admin could replace this executable with code of their choice, and gain user root access.
Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue.
The folder /Library/Application Support has group ownership admin (gid 80). The folder is also group-writable, so programs launched by users with admin privileges can rename folders with /Library/Application Support without explicitly alerting the user. This could potentially be used to spoof the Disk Mount scanner into launching an arbitrary executable when a disk is inserted.
This vulnerability has been fixed in Symantec AntiVirus for Macintosh version 10.2, Norton AntiVirus for Macintosh 11.0, and later.
The following workarounds are only for customers still running older versions of Symantec AntiVirus for Macintosh or Norton AntiVirus for Macintosh:
- Disable Mount Scanning, or configure Mount Scanning to run without showing progress.
- Symantec has made available a "SymProtector" kernel extension that will serve to protect Symantec support folders on your computer from being renamed or deleted unless the user doing so is already running with root privilege. ftp://ftp.symantec.com/misc/tools/mactools/SymProtector.zip
For more information on the SYM07-028 vulnerability, read the Symantec Security Response SYM07-028 Security Advisory.
Article URL http://www.symantec.com/docs/TECH103961