Symantec AntiVirus Vulnerability

Local exploitation of a design error vulnerability in Symantec Corp. AntiVirus can allow an attacker to execute arbitrary code with kernel privileges.

The vulnerability specifically exists due to improper address space validation when the NAVENG and NAVEX15 device drivers process IOCTL 0×222AD3, 0×222AD7, and 0×222ADB. An attacker can overwrite a user supplied address, including code segments, with a constant double word value by supplying a specially crafted Irp to the IOCTL handler function.

ANALYSIS
Successful exploitation allows an attacker to obtain elevated privileges by exploiting the kernel. This could allow the attacker to gain control of the affected system. However, local access is required for exploitation to be successful…

VENDOR RESPONSE
Symantec has released updated device drivers via LiveUpdate. More information regarding this issue can be found in Symantec’s Advisory SYM06-020.