---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Symantec Products IOCTL Handler Privilege Escalation SECUNIA ADVISORY ID: SA22288 VERIFY ADVISORY: http://secunia.com/advisories/22288/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: Symantec Web Security 3.x http://secunia.com/product/2813/ Symantec Web Security 2.x http://secunia.com/product/2812/ Symantec Norton SystemWorks 2006 http://secunia.com/product/6636/ Symantec Norton SystemWorks 2005 http://secunia.com/product/4847/ Symantec AntiVirus Corporate Edition 10.x http://secunia.com/product/5555/ Symantec AntiVirus Corporate Edition 8.x http://secunia.com/product/659/ Symantec AntiVirus Corporate Edition 9.x http://secunia.com/product/3549/ Symantec AntiVirus for Blue Coat Security http://secunia.com/product/12222/ Symantec AntiVirus for CacheFlow Security Gateway http://secunia.com/product/12220/ Symantec AntiVirus for Clearswift 4.x http://secunia.com/product/6652/ Symantec AntiVirus for Inktomi Traffic Edge http://secunia.com/product/12219/ Symantec AntiVirus for Microsoft ISA Server 4.x http://secunia.com/product/6653/ Symantec AntiVirus for Microsoft SharePoint 4.x http://secunia.com/product/6654/ Symantec AntiVirus for NetApp Filer/NetCache http://secunia.com/product/12221/ Symantec AntiVirus Scan Engine 4.x http://secunia.com/product/3040/ Symantec Brightmail AntiSpam 4.x http://secunia.com/product/4627/ Symantec Brightmail AntiSpam 5.x http://secunia.com/product/4628/ Symantec Brightmail AntiSpam 6.x http://secunia.com/product/3656/ Symantec Client Security 1.x http://secunia.com/product/2344/ Symantec Client Security 2.x http://secunia.com/product/3478/ Symantec Client Security 3.x http://secunia.com/product/6649/ Symantec Mail Security for Domino 4.x http://secunia.com/product/4624/ Symantec Mail Security for Domino 5.x http://secunia.com/product/11179/ Symantec Mail Security for Exchange 4.x http://secunia.com/product/2820/ Symantec Mail Security for Microsoft Exchange 5.x http://secunia.com/product/6650/ Symantec Mail Security for SMTP 4.x http://secunia.com/product/3558/ Symantec Norton AntiVirus 2001 http://secunia.com/product/221/ Symantec Norton AntiVirus 2002 http://secunia.com/product/846/ Symantec Norton AntiVirus 2003 http://secunia.com/product/175/ Symantec Norton AntiVirus 2004 http://secunia.com/product/2800/ Symantec Norton AntiVirus 2005 http://secunia.com/product/4009/ Symantec Norton AntiVirus 2006 http://secunia.com/product/6634/ Symantec Norton AntiVirus Corporate Edition 7.x http://secunia.com/product/643/ Symantec Norton Internet Security 2001 http://secunia.com/product/2802/ Symantec Norton Internet Security 2002 http://secunia.com/product/2801/ Symantec Norton Internet Security 2003 http://secunia.com/product/969/ Symantec Norton Internet Security 2003 Professional http://secunia.com/product/970/ Symantec Norton Internet Security 2004 http://secunia.com/product/2441/ Symantec Norton Internet Security 2004 Professional http://secunia.com/product/2442/ Symantec Norton Internet Security 2005 http://secunia.com/product/4848/ Symantec Norton Internet Security 2006 http://secunia.com/product/6635/ Symantec Norton SystemWorks 2001 http://secunia.com/product/2799/ Symantec Norton SystemWorks 2002 http://secunia.com/product/2798/ Symantec Norton SystemWorks 2003 http://secunia.com/product/2797/ Symantec Norton SystemWorks 2004 http://secunia.com/product/2796/ DESCRIPTION: A vulnerability has been reported in various Symantec Products, which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to insufficient address space verification within the IOCTL handlers of the NAVEX15.SYS and NAVENG.SYS device drivers, which allows to overwrite arbitrary memory with a constant double word value. This can be exploited to execute arbitrary code with kernel privileges by sending specially crafted I/O Request Packets to the 0x222AD3, 0x222AD7, and 0x222ADB IOCTL handlers. The vulnerability has been reported in all versions of the following products for Windows NT, Windows 2000, and Windows XP: - Norton AntiVirus - Norton Internet Security - Norton System Works - Symantec AntiVirus Corporate Edition - Symantec AntiVirus for Blue Coat Security - Symantec AntiVirus for CacheFlow Security Gateway - Symantec AntiVirus for Clearswift MIME Sweeper - Symantec AntiVirus for Inktomi Traffic Edge - Symantec AntiVirus for Microsoft ISA Server - Symantec AntiVirus for NetApp Filer/NetCache - Symantec BrightMail AntiSpam - Symantec Client Security - Symantec Mail Security for Domino - Symantec Mail Security for Exchange - Symantec Mail Security for SMTP - Symantec Scan Engine - Symantec Web Security for Windows SOLUTION: Update to the virus definitions of October 4, 2006 revision 9 or later. PROVIDED AND/OR DISCOVERED BY: Rubén Santamarta, reversemode.com. ORIGINAL ADVISORY: Symantec: http://securityresponse.symantec.com/avcenter/security/Content/2006.10.05a.html iDEFENSE: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=417 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------