SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   Norton Personal Firewall Vendors:   Symantec
Norton Personal Firewall 'SPBBCDrv.sys' Driver Lets Local Users Deny Service and Potentially Gain Elevated Privileges
SecurityTracker Alert ID:  1017837
SecurityTracker URL:  http://securitytracker.com/id/1017837
CVE Reference:   CVE-2007-1793   (Links to External Site)
Updated:  Dec 12 2008
Original Entry Date:  Apr 2 2007
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2004, 2005, 2006
Description:   A vulnerability was reported in Norton Personal Firewall. A local user can cause denial of service conditions.

The firewall software hooks several System Service Descriptor Table (SSDT) functions but does not properly validate user-mode input. Calls to the NtCreateMutant and NtOpenEvent functions are affected. A local user can supply specially crafted values to trigger an error in the 'SPBBCDrv.sys' driver and cause the target system to crash.

A local user may also be able to execute arbitrary code on the target system with kernel level privileges. However, the report did not confirm code execution.

Matousec reported this vulnerability.

The original advisory is available at:

http://www.matousec.com/info/advisories/Norton-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php

Impact:   A local user can cause target system to crash.

A local user may be able to obtain kernel level privileges on the target system.

Solution:   The vendor has issued a fix, available via LiveUpdate.

The vendor's advisory is available at:

http://securityresponse.symantec.com/avcenter/security/Content/2008.12.12.html

Vendor URL:  securityresponse.symantec.com/avcenter/security/Content/2008.12.12.html (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  Norton Multiple insufficient argument validation of hooked SSDT function

Hello,

We would like to inform you about a vulnerability in Symantec Norton products.


Description:

Symantec Norton Personal Firewall hooks many functions in SSDT and in at least two 
cases it fails to validate arguments that come from the user mode. User calls to 
NtCreateMutant and NtOpenEvent with invalid argument values can cause system crashes 
because of errors in Norton driver SPBBCDrv.sys. Further impacts of this bug (like 
arbitrary code execution in the kernel mode) were not examined.


Vulnerable software:

    * Norton Personal Firewall 2006 version 9.1.1.7
    * Norton Personal Firewall 2006 version 9.1.0.33
    * probably all versions of Norton Personal Firewall 2006, Norton Internet Security 
2006 and other products that use SPBBCDrv driver
    * possibly older versions of Norton Personal Firewall and Norton Internet Security




More details and a proof of concept including its source code are available here:
http://www.matousec.com/info/advisories/Norton-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php


Regards,

-- 
Matousec - Transparent security Research
http://www.matousec.com/


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC