BID:22351

Symantec Device Driver SYMTDI.SYS Local Privilege Escalation Vulnerability

Info

Symantec Device Driver SYMTDI.SYS Local Privilege Escalation Vulnerability

Bugtraq ID:	22351
Class:	Input Validation Error
CVE:	CVE-2007-3673
Remote:	No
Local:	Yes
Published:	Jul 11 2007 12:00AM
Updated:	Nov 01 2007 03:56PM
Credit:	Zohiartze Herce, working with the iDefense Vulnerability Contributor Program, is credited with the discovery of this issue.
Vulnerable:	Symantec Norton SystemWorks 2005 0 Symantec Norton System Works 2006 Symantec Norton Personal Firewall 2006 Symantec Norton Personal Firewall 2005 Symantec Norton Internet Security 2006 0 Symantec Norton Internet Security 2005 Symantec Norton AntiVirus 2006 Symantec Norton AntiVirus 2005 Symantec Norton AntiSpam 2005 0 + Symantec Norton Internet Security 2004 + Symantec Norton Internet Security 2004 Professional Edition Symantec Client Security 3.1.4 MR4 MP1 - build 4010 Symantec Client Security 3.1 .401 Symantec Client Security 3.1 .400 Symantec Client Security 3.1 .396 Symantec Client Security 3.1 .394 Symantec Client Security 3.0.2 .2021 Symantec Client Security 3.0.2 .2020 Symantec Client Security 3.0.2 .2011 Symantec Client Security 3.0.2 .2010 Symantec Client Security 3.0.2 .2002 Symantec Client Security 3.0.2 .2001 Symantec Client Security 3.0.2 .2000 Symantec Client Security 3.0 Symantec Client Security 2.0.6 MR6 MP1 - build 1100 Symantec Client Security 2.0.5 build 1100 Symantec Client Security 2.0.4 MR4 build 1000 Symantec Client Security 2.0.4 Symantec Client Security 2.0.3 MR3 b9.0.3.1000 Symantec Client Security 2.0.2 MR2 b9.0.2.1000 Symantec Client Security 2.0.1 MR1 b9.0.1.1000 Symantec Client Security 2.0 STM build 9.0.0.338 Symantec Client Security 2.0 (SCF 7.1) Symantec Client Security 2.0 Symantec Client Security 1.1.1 Symantec Client Security 1.1 Symantec Client Security 1.0.1 Symantec Client Security 1.0 Symantec Client Security 3.1.6.6000 Symantec Client Security 3.1.6.6000 Symantec Client Security 3.1 Symantec Client Security 3.0.1.1008 Symantec Client Security 3.0.1.1007 Symantec Client Security 3.0.1.1001 Symantec Client Security 3.0.1.1000 Symantec Client Security 3.0.0.359 Symantec AntiVirus Corporate Edition 10.1.4 MR4 MP1 - build 4010 Symantec AntiVirus Corporate Edition 10.1.4 Symantec AntiVirus Corporate Edition 10.1 .401 Symantec AntiVirus Corporate Edition 10.1 .400 Symantec AntiVirus Corporate Edition 10.1 .396 Symantec AntiVirus Corporate Edition 10.1 .394 Symantec AntiVirus Corporate Edition 10.0.2 .2021 Symantec AntiVirus Corporate Edition 10.0.2 .2020 Symantec AntiVirus Corporate Edition 10.0.2 .2011 Symantec AntiVirus Corporate Edition 10.0.2 .2010 Symantec AntiVirus Corporate Edition 10.0.2 .2010 Symantec AntiVirus Corporate Edition 10.0.2 .2002 Symantec AntiVirus Corporate Edition 10.0.2 .2001 Symantec AntiVirus Corporate Edition 10.0.2 .2000 Symantec AntiVirus Corporate Edition 10.0 Symantec AntiVirus Corporate Edition 9.0.5 .1100 Symantec AntiVirus Corporate Edition 9.0.5 Symantec AntiVirus Corporate Edition 9.0.4 MR4 build 1000 Symantec AntiVirus Corporate Edition 9.0.4 Symantec AntiVirus Corporate Edition 9.0.3 .1000 Symantec AntiVirus Corporate Edition 9.0.2 .1000 Symantec AntiVirus Corporate Edition 9.0.1 .1.1000 Symantec AntiVirus Corporate Edition 9.0 .0.338 Symantec AntiVirus Corporate Edition 9.0 Symantec AntiVirus Corporate Edition 10.2 Symantec AntiVirus Corporate Edition 10.1.6.6000 Symantec AntiVirus Corporate Edition 10.1.6.600 Symantec AntiVirus Corporate Edition 10.1.4.4010 Symantec AntiVirus Corporate Edition 10.1 Symantec AntiVirus Corporate Edition 10.0.2.2000 Symantec AntiVirus Corporate Edition 10.0.1.1008 Symantec AntiVirus Corporate Edition 10.0.1.1007 Symantec AntiVirus Corporate Edition 10.0.1.1000 Symantec AntiVirus Corporate Edition 10.0.0.359

Not Vulnerable:	Symantec Client Security 3.1 MR6 Symantec Client Security 2.0 MR6 MP1 Symantec AntiVirus Corporate Edition 9.0.6 MR6 MP1 - build 1100 Symantec AntiVirus Corporate Edition 10.1 MR6

Discussion

Symantec Device Driver SYMTDI.SYS Local Privilege Escalation Vulnerability

Applications running the SYMTDI.SYS device driver are prone to a privilege-escalation vulnerability because the driver fails to adequately sanitize user-supplied input.

Local attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges. A successful exploit will completely compromise affected computers. Failed exploit attempts will likely cause the computer to crash.

Exploit / POC

Symantec Device Driver SYMTDI.SYS Local Privilege Escalation Vulnerability

The following exploit is available:

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

/data/vulnerabilities/exploits/07122007-symTDI_advisory.rar

Solution / Fix

Symantec Device Driver SYMTDI.SYS Local Privilege Escalation Vulnerability

Solution:
Symantec has released security advisory SYM07-018 and updates to address this issue. Please see the references for more information.

References

Symantec Device Driver SYMTDI.SYS Local Privilege Escalation Vulnerability

References:

SYM07-018 Symantec SYMTDI.SYS Device Driver Local Elevation of Privilege (Symantec)
Symantec AntiVirus symtdi.sys Local Privilege Escalation Vulnerability (iDefense)
Symantec Homepage (Symantec)
iDefense Security Advisory 07.11.07: Symantec AntiVirus symtdi.sys Local Privile (iDefense)