Norton DLL faking via 'SuiteOwners' protection bypass Vulnerability

2006.08.23
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 3.6/10
Impact Subscore: 4.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

Hello, I would like to inform you about a vulnerability in the Norton Personal Firewall component found by Matousec - Transparent security. Description: Norton protects its own registry keys against actions of other applications. This protection can be bypassed for registry key 'HKLM\SOFTWARE\Symantec\CCPD\SuiteOwners' using API functions RegSaveKey and RegRestoreKey. This registry key is also used to store some important information such us names of libraries, for example 'NISProd.dll'. Using RegSaveKey and RegRestoreKey a malicious application can modify values in 'SuiteOwners' such that Norton loads fake library into its own processes. A malicious code in the fake library can manipulate any Norton component and thus bypass every security protection of Norton. Vulnerable software: * Norton Personal Firewall 2006 version 9.1.0.33 * probably all versions of Norton Personal Firewall 2006 and Norton Internet Security 2006 * possibly older versions of Norton Personal Firewall and Norton Internet Security More details and proof of concept is available here http://www.matousec.com/info/advisories/Norton-DLL-faking-via-SuiteOwner s-protection-bypass.php Regards, -- David Matousek Founder and Chief Representative of Matousec - Transparent security http://www.matousec.com/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top