Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   Symantec Anti Virus Vendors:   Symantec
Symantec Anti Virus Corporate Edition Custom Notification Format String Bug Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1016842
SecurityTracker URL:
CVE Reference:   CVE-2006-3454, CVE-2006-4802   (Links to External Site)
Updated:  Nov 21 2006
Original Entry Date:  Sep 13 2006
Impact:   Execution of arbitrary code via local system, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Corporate Edition, prior to 10.1
Description:   A vulnerability was reported in Symantec Anti Virus Corporate Edition. A local user can obtain elevated privileges on the target system.

The customized alert notification function does not properly validate user-supplied input. A local user can supply a specially crafted Tamper Protection and Virus Alert Notification message that contains format string characters. When triggered, the message will execute arbitrary code on the target system.

Another format string flaw allows a local user to cause the Real Time Virus Scan service to crash when a specially crafted notification message is displayed in response to detection of a malicious file.

Symantec Client Security is also affected.

Symantec credits Deral Heiland of Layered Defense with reporting this vulnerability.

Impact:   A local user can obtain elevated privileges on the target system.
Solution:   The vendor has issued the following fixed versions:

SAV 10 MR2 MP2 (SAV and later
SAV 9 MR5 MP1 (SAV )and later
SAV 8.1.1 MR9 build 393 and later

The Symantec advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC