COMMAND

	Norton Antivirus permits local priviledge escalation (I.e : getadmin)

SYSTEMS AFFECTED

	 Norton Antivirus 7.5 - 7.6

	 Norton Corporate Antivirus 7.5 - 7.6

PROBLEM

	

	         /\_/\

	        { , . }     |\

	+--oQQo->{ ^ }<-----+ \  In 3APA3A Advisory

	|  ZARAZA  U  3APA3A   } http://www.security.nnov.ru

	+-------------o66o--+ /

	                    |/

	

	

	This issue was discovered by ERRor [error@pochtamt.ru]  of  Domain  Hell
	Team :
	

	 Norton Antivirus adds "Scan for Viruses..." item to Explorer's context

	 menu.  Application  launched if this item is selected has local system

	 context.  Application has "Help" button which allows to start winhlp32

	 in  context of Local System. winhlp32 allows user to execute code with

	 credentials of this application.

	

	

	 Editor's note

	 =============

	

	Try this :
	

	 1. Launch explorer, right click on a file, scan for viruses

	 2. On the Norton Antivirus panel, click on the help button

	 3. In the help menu, choose "File->Open", RIGHT-CLICK on a help file and

	    select "Open with ..." : "notepad"

	 4. In notepad you have just started run "File->Open", choose "All files"

	    in "Files of type", select \winnt\system32\cmd.exe, RIGHT-CLICK and choose

	    "open"

	 5. Now you have a running command prompt with LocalSystem rights, you may

	    try such things as : "net localgroup Administrators /add <your-user-name>"    

	

	

	This is a pretty explicit case of a bad "Messaging Screen DACL" such  as
	desribed by Foon [ivegotta@tombom.co.uk], see :
	

	 http://www.securitybugware.org/NT/5606.html

	

SOLUTION

	 This vulnerability has been eliminated in current versions of Symantec

	 Norton  AntiVirus  Corporate Edition, version 7.5.1 Build 62 and later

	 as  well  as  version 7.6.1 Build 35a and later that are available for

	 download.