copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2007.0862 -- [Mac][OSX] -- Symantec AntiVirus for Macintosh and Norton AntiVirus for Macintosh Local Elevation of Privilege

Date: 09 November 2007

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                        ESB-2007.0862 -- [Mac][OSX]
         Symantec AntiVirus for Macintosh and Norton AntiVirus for
                  Macintosh Local Elevation of Privilege
                              9 November 2007

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Norton AntiVirus for Macintosh 9.x-10.x
                      Norton Internet Security for Macintosh 3.x
                      Symantec AntiVirus for Macintosh 10.0
                      Symantec AntiVirus for Macintosh 10.1
Publisher:            Symantec
Operating System:     Mac OS X
Impact:               Root Compromise
Access:               Existing Account
CVE Names:            CVE-2007-5829

Original Bulletin: 
http://securityresponse.symantec.com/avcenter/security/Content/2007.11.02.html

Comment: According to the Symantec advisory, this vulnerability may only be
         exploited by members of the admin group.

Revision History: November 9 2007: Added CVE Name
                  November 5 2007: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

SYM07-028
November 1, 2007
Symantec AntiVirus for Macintosh and Norton AntiVirus for Macintosh
Local Elevation of Privilege

Revision History
None

Risk Impact
Low

Remote Access           No
Local Access            Yes
Authentication Required Yes
Exploit available       No

Overview
A feature of Symantec AntiVirus for Macintosh and Norton AntiVirus for
Macintosh could be used by members of the group admin to execute code
as the root user (uid 0) on the local system.

Affected Products 

Product Version Solution
Norton AntiVirus for Macintosh 9.x-10.x Disable "Show Progress During
Mount Scans" in the Mount Scan tab of Auto-Protect System preferences.

Norton Internet Security for Macintosh 3.x Disable "Show Progress
During Mount Scans" in the Mount Scan tab of Auto-Protect System
preferences.

Symantec AntiVirus for Macintosh 10.0 Disable "Show Progress During
Mount Scans" in the Mount Scan tab of Auto-Protect System preferences.

Symantec AntiVirus for Macintosh 10.1 Disable "Show Progress During
Mount Scans" in the Mount Scan tab of Auto-Protect System preferences.

Unaffected Products

Product  Version
Norton Personal Firewall for Mac all
Norton Confidential for Macall

Note: This vulnerability exists only in products running on the
Macintosh platform. It does not exist in products running on Linux or
Microsoft Windows.

Details
An executable used by the Mount Scan feature of Symantec AntiVirus for
Macintosh and Norton AntiVirus for Macintosh runs with root access. A
member of group admin could replace this executable with code of their
choice, and gain user root access.
The folder /Library/Application Support has group ownership admin (gid
80). The folder is also group-writable, so programs launched by users
with admin privileges can rename folders with /Library/Application
Support without explicitly alerting the user. This could potentially
be used to spoof the Disk Mount scanner into launching an arbitrary
executable when a disk is inserted.

Symantec Response
Symantec engineers have verified that this issue exists in the
products listed above. However, any potential attempt to exploit the
issue will fail if Mount Scanning is disabled, or if Mount Scanning is
configured to run without showing progress.
Symantec is not aware of any customers impacted by this issue, or of
any attempts to exploit the issue.

Mitigation
Disable "Show Progress During Mount Scans" in the Mount Scan tab of
Auto-Protect System preferences.
An alternative mitigation is to set the sticky bit on the folder
/Library/Application Support. The sticky bit may become unset if
Apples Disk Utility is used at some later time to repair permissions
on the drive. The sticky bit may be set by issuing the following
command in a terminal window (note the quotes), and entering an admin
password at the resulting prompt:
sudo /bin/chmod +t "Library/Application Support"

Best Practices
Symantec recommends any affected customers apply one of the mitigation
steps to protect against potential attempts to exploit this issue. As
part of normal best practices, Symantec recommends the following:
  * Run under the principle of least privilege to limit the impact of
 potential exploits.
  * Restrict access to computer systems to trusted users only.
  * Keep all operating systems and applications updated with the
 latest vendor patches.
  * Follow a multi-layered approach to security. Run both firewall and
 antivirus software to provide multiple points of detection and
 protection from inbound and outbound threats.

Credit
Symantec would like to thank William Carrel for reporting this issue.

References
This issue is a candidate for inclusion in the Common Vulnerabilities
and Exposures (CVE) list (http://cve.mitre.org), which
standardizes names for security problems. A CVE identifier has been
requested.
SecurityFocus has assigned BID 26253 to this vulnerability.
  ___________________________________________________________

Symantec takes the security and proper functionality of its products
very seriously. As founding members of the Organization for Internet
Safety (OISafety), Symantec follows the principles of responsible
disclosure. Symantec also subscribes to the vulnerability guidelines
outlined by the National Infrastructure Advisory Council (NIAC).
Please contact secure@symantec.com if you feel you have discovered
a potential or actual security issue with a Symantec product. A
Symantec Product Security team member will contact you regarding your
submission.

Symantec has developed a Product Vulnerability Handling Process
document outlining the process we follow in addressing suspected
vulnerabilities in our products. We support responsible disclosure of
all vulnerability information in a timely manner to protect Symantec
customers and the security of the Internet as a result of
vulnerability. This document is available from the location provided
below.

Symantec strongly recommends using encrypted email for reporting
vulnerability information to secure@symantec.com. The Symantec
Product Security PGP key can be obtained from the location provided
below.
Symantec-Product-Vulnerability-Response Symantec Vulnerability
Response Policy Symantec Product Vulnerability Management PGP Key
Symantec Product Vulnerability Management PGP Key
  _________________________________________________________________

Copyright (c) 2007 by Symantec Corp.
Permission to redistribute this alert electronically is granted as
long as it is not edited in any way unless authorized by Symantec
Security Response. Reprinting the whole or part of this alert in any
medium other than electronically requires permission from
secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and
secure@symantec.com are registered trademarks of Symantec Corp.
and/or affiliated companies in the United States and other countries.
All other registered and unregistered trademarks represented in this
document are the sole property of their respective companies/owners.
Last modified on: Friday, 02-Nov-07 09:28:14


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRzPZEyh9+71yA2DNAQIlFAP/REFWYF0b5I26uXR0pFwOMgIJsWPFpnkG
npEOWHjqRSLq+xMX+7xSffvp3rOyDRa7berzQe3dGZevfCXoQxwhdHyhsvDG0HeD
UbLoC3bfsyTcj1e/fNLb3D/plX4JLAMiJ8aSGW/CjCrZHCzMIrm/XiF/4NBbzzBq
rLvSw2szk/Q=
=PNan
-----END PGP SIGNATURE-----