CVE-2005-2017
CVSS10.0
发布时间 :2005-08-30 07:45:00
修订时间 :2008-09-05 16:50:39
NMCOPS    

[原文]Symantec AntiVirus 9 Corporate Edition allows local users to gain privileges via the "Scan for viruses" option, which launches a help window with raised privileges, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2002-1540.


[CNNVD]Symantec AntiVirus Corporate Edition本地权限提升漏洞(CNNVD-200508-302)

        Symantec AntiVirus Corporate Edition是非常流行的企业级杀毒解决方案。
        Symantec AntiVirus Corporate Edition客户端帮助函数使用Windows帮助界面HTML帮助为客户端用户提供支持。在授权用户访问Symantec AntiVirus Corporate Edition客户端的GUI时,用户可以使用GUI工具栏请求帮助。在有漏洞的产品版本中,HTML帮助功能假定了来自Symantec AntiVirus Corporate Edition特权访问的权限,而没有保留为非特权登录用户分配的受限用户权限。通过操控GUI界面,本地非特权用户可以以本地系统权限浏览所有系统文件或执行本地系统应用程序。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2017
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2017
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-302
(官方数据源) CNNVD

- 其它链接及资源

http://www.symantec.com/avcenter/security/Content/2005.08.24.html
(VENDOR_ADVISORY)  CONFIRM  http://www.symantec.com/avcenter/security/Content/2005.08.24.html
http://www.idefense.com/application/poi/display?id=298&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050829 Symantec AntiVirus 9 Corporate Edition Local Privilege Escalation Vulnerability

- 漏洞信息

Symantec AntiVirus Corporate Edition本地权限提升漏洞
危急 访问验证错误
2005-08-30 00:00:00 2006-08-16 00:00:00
本地  
        Symantec AntiVirus Corporate Edition是非常流行的企业级杀毒解决方案。
        Symantec AntiVirus Corporate Edition客户端帮助函数使用Windows帮助界面HTML帮助为客户端用户提供支持。在授权用户访问Symantec AntiVirus Corporate Edition客户端的GUI时,用户可以使用GUI工具栏请求帮助。在有漏洞的产品版本中,HTML帮助功能假定了来自Symantec AntiVirus Corporate Edition特权访问的权限,而没有保留为非特权登录用户分配的受限用户权限。通过操控GUI界面,本地非特权用户可以以本地系统权限浏览所有系统文件或执行本地系统应用程序。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.symantec.com/

- 漏洞信息 (F39710)

iDEFENSE Security Advisory 2005-08-29.3 (PacketStormID:F39710)
2005-08-31 00:00:00
iDefense Labs  idefense.com
advisory,local
CVE-2005-2017
[点击下载]

iDEFENSE Security Advisory - Local exploitation of a design error in the Symantec AntiVirus 9 Corporate Edition may allow a user to gain elevated privileges. Exploitation can occur when a user chooses the right click Scan for viruses option. The Symantec scan file interface allows the user to launch a help window through the use of a toolbar icon. If the user then right clicks the help window title bar they can choose the Jump to URL menu option, which will then allow them to browse the local file system and execute files as the SYSTEM user.

Symantec AntiVirus 9 Corporate Edition Local Privilege Escalation
Vulnerability 

iDEFENSE Security Advisory 08.29.05
www.idefense.com/application/poi/display?id=298&type=vulnerabilities
August 29, 2005

I. BACKGROUND

Symantec AntiVirus 9 Corporate Edition is an enterprise quality 
Anti-Virus solution for the Windows platform. 

More information can be found at the following location:

http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=1
55

II. DESCRIPTION

Local exploitation of a design error in the Symantec AntiVirus 9
Corporate Edition may allow a user to gain elevated privileges.
Exploitation can occur when a user chooses the right click "Scan for
viruses" option. The Symantec scan file interface allows the user to
launch a help window through the use of a toolbar icon. If the user
then right clicks the help window title bar they can choose the "Jump
to URL" menu option, which will then allow them to browse the local
file system and execute files as the SYSTEM user.

This vulnerability is a re-appearance of an old bug formerly found in
the Symantec 7.x series virus scan product.

http://cert.uni-stuttgart.de/archive/bugtraq/2002/10/msg00357.html
http://cert.uni-stuttgart.de/archive/bugtraq/2002/10/msg00379.html

III. ANALYSIS

Successful exploitation allows a local attacker to execute arbitrary
commands as the System Administrator user.

IV. DETECTION

iDEFENSE has confirmed this vulnerability exists in version 9.0.1.1000
of Norton Antivirus Corporate Edition for Windows with all current
updates applied. This is a re-appearance of an old bug that was
reportedly fixed in versions 7.5.1 Build 62 and later, and version
7.6.1 Build 35a.

V. WORKAROUND

iDEFENSE is currently unaware of any workaround for this issue.

VI. VENDOR RESPONSE

"Symantec engineers have verified this issue and corrected it in 
Maintenance Release (MR) 3 and all subsequent MRs and upgrades for
Symantec AntiVirus Corporate Edition and Symantec Client Security."

A vendor advisory for this issue is available at the following URL:

  http://www.symantec.com/avcenter/security/Content/2005.08.24.html


VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-2017 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

06/15/2005 Initial vendor notification
06/15/2005 Initial vendor response
08/29/2005 Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

18975
Symantec Multiple Products HTML Help Local Privilege Escalation
Local Access Required
Loss of Integrity Patch / RCS
Exploit Private Vendor Verified, Coordinated Disclosure

- 漏洞描述

- 时间线

2005-08-24 Unknow
Unknow 2005-08-24

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Symantec has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Symantec AntiVirus Corporate Edition Local Privilege Escalation Vulnerability
Access Validation Error 14524
No Yes
2005-08-09 12:00:00 2009-07-12 05:06:00
Discovery is credited to an anonymous source.

- 受影响的程序版本

Symantec Client Security 2.0.2 MR2 b9.0.2.1000
Symantec Client Security 2.0.1 MR1 b9.0.1.1000
Symantec Client Security 2.0 STM build 9.0.0.338
Symantec Client Security 2.0 (SCF 7.1)
Symantec Client Security 2.0 (SCF 7.1)
Symantec Client Security 2.0
Symantec AntiVirus Corporate Edition 9.0.2 .1000
Symantec AntiVirus Corporate Edition 9.0.1 .1.1000
Symantec AntiVirus Corporate Edition 9.0 .0.338
Symantec AntiVirus Corporate Edition 9.0
Symantec Client Security 3.0
Symantec Client Security 2.0.3 MR3 b9.0.3.1000
Symantec Client Security 1.1.1 MR5 build 8.1.1.336
Symantec Client Security 1.1.1 MR4 build 8.1.1.329
Symantec Client Security 1.1.1 MR3 build 8.1.1.323
Symantec Client Security 1.1.1 MR2 build 8.1.1.319
Symantec Client Security 1.1.1 MR1 build 8.1.1.314a
Symantec Client Security 1.1.1 MR6 b8.1.1.266
Symantec Client Security 1.1.1
Symantec Client Security 1.1 STM b8.1.0.825a
Symantec Client Security 1.1
Symantec Client Security 1.0.1 MR8 build 8.01.471
Symantec Client Security 1.0.1 MR7 build 8.01.464
Symantec Client Security 1.0.1 MR6 build 8.01.460
Symantec Client Security 1.0.1 MR5 build 8.01.457
Symantec Client Security 1.0.1 MR4 build 8.01.446
Symantec Client Security 1.0.1 MR3 build 8.01.434
Symantec Client Security 1.0.1 build 8.01.437
Symantec Client Security 1.0.1 MR9 b8.01.501
Symantec Client Security 1.0.1 MR2 b8.01.429c
Symantec Client Security 1.0.1 MR1 b8.01.425a/b
Symantec Client Security 1.0.1
Symantec Client Security 1.0 .0 b8.01.9378
Symantec Client Security 1.0 b8.01.9374
Symantec Client Security 1.0
Symantec AntiVirus Corporate Edition 10.0
Symantec AntiVirus Corporate Edition 9.0.3 .1000
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.329
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.323
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.319
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.314a
Symantec AntiVirus Corporate Edition 8.1.1 .366
Symantec AntiVirus Corporate Edition 8.1.1
Symantec AntiVirus Corporate Edition 8.1 build 8.01.471
Symantec AntiVirus Corporate Edition 8.1 build 8.01.464
Symantec AntiVirus Corporate Edition 8.1 build 8.01.460
Symantec AntiVirus Corporate Edition 8.1 build 8.01.457
Symantec AntiVirus Corporate Edition 8.1 build 8.01.446
Symantec AntiVirus Corporate Edition 8.1 build 8.01.437
Symantec AntiVirus Corporate Edition 8.1 build 8.01.434
Symantec AntiVirus Corporate Edition 8.1 .0.825a
Symantec AntiVirus Corporate Edition 8.1
Symantec AntiVirus Corporate Edition 8.0 1.9378
Symantec AntiVirus Corporate Edition 8.0 1.9374
Symantec AntiVirus Corporate Edition 8.0 1.501
Symantec AntiVirus Corporate Edition 8.0 1.429c
Symantec AntiVirus Corporate Edition 8.0 1.425a/b
Symantec AntiVirus Corporate Edition 8.0 1
Symantec AntiVirus Corporate Edition 8.0

- 不受影响的程序版本

Symantec Client Security 3.0
Symantec Client Security 2.0.3 MR3 b9.0.3.1000
Symantec Client Security 1.1.1 MR5 build 8.1.1.336
Symantec Client Security 1.1.1 MR4 build 8.1.1.329
Symantec Client Security 1.1.1 MR3 build 8.1.1.323
Symantec Client Security 1.1.1 MR2 build 8.1.1.319
Symantec Client Security 1.1.1 MR1 build 8.1.1.314a
Symantec Client Security 1.1.1 MR6 b8.1.1.266
Symantec Client Security 1.1.1
Symantec Client Security 1.1 STM b8.1.0.825a
Symantec Client Security 1.1
Symantec Client Security 1.0.1 MR8 build 8.01.471
Symantec Client Security 1.0.1 MR7 build 8.01.464
Symantec Client Security 1.0.1 MR6 build 8.01.460
Symantec Client Security 1.0.1 MR5 build 8.01.457
Symantec Client Security 1.0.1 MR4 build 8.01.446
Symantec Client Security 1.0.1 MR3 build 8.01.434
Symantec Client Security 1.0.1 build 8.01.437
Symantec Client Security 1.0.1 MR9 b8.01.501
Symantec Client Security 1.0.1 MR2 b8.01.429c
Symantec Client Security 1.0.1 MR1 b8.01.425a/b
Symantec Client Security 1.0.1
Symantec Client Security 1.0 .0 b8.01.9378
Symantec Client Security 1.0 b8.01.9374
Symantec Client Security 1.0
Symantec AntiVirus Corporate Edition 10.0
Symantec AntiVirus Corporate Edition 9.0.3 .1000
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.329
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.323
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.319
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.314a
Symantec AntiVirus Corporate Edition 8.1.1 .366
Symantec AntiVirus Corporate Edition 8.1.1
Symantec AntiVirus Corporate Edition 8.1 build 8.01.471
Symantec AntiVirus Corporate Edition 8.1 build 8.01.464
Symantec AntiVirus Corporate Edition 8.1 build 8.01.460
Symantec AntiVirus Corporate Edition 8.1 build 8.01.457
Symantec AntiVirus Corporate Edition 8.1 build 8.01.446
Symantec AntiVirus Corporate Edition 8.1 build 8.01.437
Symantec AntiVirus Corporate Edition 8.1 build 8.01.434
Symantec AntiVirus Corporate Edition 8.1 .0.825a
Symantec AntiVirus Corporate Edition 8.1
Symantec AntiVirus Corporate Edition 8.0 1.9378
Symantec AntiVirus Corporate Edition 8.0 1.9374
Symantec AntiVirus Corporate Edition 8.0 1.501
Symantec AntiVirus Corporate Edition 8.0 1.429c
Symantec AntiVirus Corporate Edition 8.0 1.425a/b
Symantec AntiVirus Corporate Edition 8.0 1
Symantec AntiVirus Corporate Edition 8.0

- 漏洞讨论

Symantec AntiVirus Corporate Edition is susceptible to a local privilege escalation vulnerability. This issue is due to a failure of the application to properly lower the privileges of the running process when required.

Due to the nature of the affected application, it executes with SYSTEM privileges. When a local user opens the HTML help browser from the affected application, it is executed with the same elevated privileges as the calling application.

This vulnerability allows local attackers to access and execute arbitrary files with SYSTEM privileges, facilitating the compromise of the local computer.

- 漏洞利用

An exploit is not required.

- 解决方案

An advisory, along with fixes are available from the vendor. Please see the referenced advisory for further information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站