Norman virus scanner allows privilege escalation

Security service 48bits has announced in an advisory that local users can inject and execute code in kernel mode via vulnerabilities in the ncoaft51 driver used in Norman's antivirus products. The driver creates the NvcOa device without applying any security restrictions to it. As a result, all users have access to it.

The advisory states that a number of functions contain code that can be abused to create buffer overflows. For example, the experts at 48bits who discovered the hole write that a function checks the length of a string that has been transferred, but then creates a buffer that is not properly dimensioned. If Unicode is used instead of ASCII, one character can be represented by several bytes, causing the buffer to overflow. Furthermore, a number of control functions could also be abused to execute code because the driver interprets arguments it receives as pointers to a KEVENT structure without further checks. Attackers could fake such a KEVENT structure to execute arbitrary code.

In its advisory, 48bits provides a link to source code for a demo exploit that allegedly shows how the vulnerability can be used to execute code with falsified KEVENT structures. Norman Virus Control 5.82 and products based upon it are affected, but older versions may also contain the defective driver. The current version 5.90 can be downloaded from the vendor's website. 48bits says that the driver is now only used on Windows NT and 2000 systems. Nonetheless, users of Norman products should make sure that they have the current version to ensure that their computers are protected.

See also:

• Multiple vulnerabilities in Norman NVC 5.82 driver, security advisory at 48bits
• Demo exploit detailed description of vulnerability at 48bits
• Download the current version of Norman

(mba)