Focus on Apple
Symantec AntiVirus for Macintosh and Norton AntiVirus for Macintosh Local Elevation of Privilege Nov 06 2007 05:14PM
Todd Woodward (todd_woodward symantec com)
http://securityresponse.symantec.com/avcenter/security/Content/2007.11.0
2.html

http://tinyurl.com/2d93ug

Risk Impact: Low

Remote Access: No

Local Access: Yes

Authentication Required: Yes

Exploit available: No

Overview

A feature of Symantec AntiVirus for Macintosh and Norton AntiVirus for Macintosh could be used by members of the group admin to execute code as the root user (uid 0) on the local system.

Affected Products:

Product: Norton AntiVirus for Macintosh

Version: 9.x-10.x

Solution: Disable "Show Progress During Mount Scans" in the Mount Scan tab of Auto-Protect System preferences.

Product: Norton Internet Security for Macintosh

Version: 3.x

Solution: Disable "Show Progress During Mount Scans" in the Mount Scan tab of Auto-Protect System preferences.

Product: Symantec AntiVirus for Macintosh

Version: 10.0

Solution: Disable "Show Progress During Mount Scans" in the Mount Scan tab of Auto-Protect System preferences.

Product: Symantec AntiVirus for Macintosh

Version: 10.1

Solution: Disable "Show Progress During Mount Scans" in the Mount Scan tab of Auto-Protect System preferences.

Unaffected Products

All versions of Norton Personal Firewall for Mac and Norton Confidential for Mac

Note: This vulnerability exists only in products running on the Macintosh platform. It does not exist in products running on Linux or Microsoft Windows.

Details

An executable used by the Mount Scan feature of Symantec AntiVirus for Macintosh and Norton AntiVirus for Macintosh runs with root access. A member of group admin could replace this executable with code of their choice, and gain user root access.

The folder /Library/Application Support has group ownership admin (gid 80). The folder is also group-writable, so programs launched by users with admin privileges can rename folders with /Library/Application Support without explicitly alerting the user. This could potentially be used to spoof the Disk Mount scanner into launching an arbitrary executable when a disk is inserted.

Symantec Response

Symantec engineers have verified that this issue exists in the products listed above. However, any potential attempt to exploit the issue will fail if Mount Scanning is disabled, or if Mount Scanning is configured to run without showing progress.

Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue.

Mitigation

Disable "Show Progress During Mount Scans" in the Mount Scan tab of Auto-Protect System preferences.

An alternative mitigation is to set the sticky bit on the folder /Library/Application Support. The sticky bit may become unset if Apple's Disk Utility is used at some later time to repair permissions on the drive. The sticky bit may be set by issuing the following command in a terminal window (note the quotes), and entering an admin password at the resulting prompt:

sudo /bin/chmod +t "Library/Application Support"

Best Practices

Symantec recommends any affected customers apply one of the mitigation steps to protect against potential attempts to exploit this issue. As part of normal best practices, Symantec recommends the following:

â?¢ Run under the principle of least privilege to limit the impact of potential exploits.

â?¢ Restrict access to computer systems to trusted users only.

â?¢ Keep all operating systems and applications updated with the latest vendor patches.

â?¢ Follow a multi-layered approach to security. Run both firewall and antivirus software to provide multiple points of detection and protection from inbound and outbound threats.

Credit

Symantec would like to thank William Carrel for reporting this issue.

[ http://blog.carrel.org/2007/11/security-advisory-norton-antivirus-for.ht
ml ]

[ http://tinyurl.com/yp4xml ]

References

This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. CVE-2007-5829 has been assigned to this exposure.

SecurityFocus has assigned BID 26253 to this vulnerability.

###

 

Security Response Researcher

Focus-Apple Moderator

 

________________________________________

Todd D. Woodward

Technical Support Engineer

NetBackup Support

Symantec Corporation

www.symantec.com

Springfield, Oregon

________________________________________

Office: 541-335-7441

________________________________________

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus