ISS X-Force Database: device-driver-gain-privileges(12824): Multiple vendor device drivers allow attacker to gain privileges

Multiple vendor device drivers allow attacker to gain privileges

device-driver-gain-privileges (12824)

High Risk

Description:

Multiple vendor device drivers, including ZoneAlarm could allow a local attacker to gain elevated privileges, caused by a vulnerability in the device driver. A local attacker could send a specially-crafted message to the vulnerable driver to cause the system to crash or execute arbitrary code on the system.

Consequences:

Gain Privileges

Remedy:

For ZoneAlarm Firewal 3.1:
Download the software update, when it becomes available, as listed in the "Vendor response to "Local ZoneAlarm Firewall (probably all versions - tested on v3.1)". See Reference.

—OR—

Contact the Zone Labs Technical Support group for support. See References.

References:

SEC-LABS win32ddc paper: Win32 Device Drivers Communication Vulnerabilities.
VulnWatch Mailing List, Tue Aug 05 2003 - 08:36:44 CDT : Local ZoneAlarm Firewall (probably all versions - tested on v3.1) .
VulnWatch Mailing List, Wed Aug 06 2003 - 22:40:05 CDT: Vendor response to "Local ZoneAlarm Firewall (probably all versions - tested on v3.1)".
Zone Labs Technical Support group Web site: Zone Labs: Zone Labs Service and Support, ZoneAlarm support, technical support.
BID-8329: Symantec Norton AntiVirus Device Driver Memory Overwrite Vulnerability
BID-8342: ZoneAlarm Local Device Driver IO Control Code Execution Vulnerability
CVE-2003-1309: The DeviceIoControl function in the TrueVector Device Driver (VSDATANT) in ZoneAlarm before 3.7.211, Pro before 4.0.146.029, and Plus before 4.0.146.029 allows local users to gain privileges via certain signals (aka Device Driver Attack).
CVE-2003-1310: The DeviceIoControl function in the Norton Device Driver (NAVAP.sys) in Symantec Norton AntiVirus 2002 allows local users to gain privileges by overwriting memory locations via certain control codes (aka Device Driver Attack).
OSVDB ID: 2375: ZoneAlarm TrueVector Device Driver vsdatant.sys DeviceIoControl Function Privilege Escalation
OSVDB ID: 4362: Symantec AntiVirus Device Driver NAVAP.sys DeviceIoControl Function Privilege Escalation
SA9459: ZoneAlarm TrueVector Device Driver Privilege Escalation
SA9460: Symantec Norton AntiVirus Device Driver Privilege Escalation

Platforms Affected:

CheckPoint ZoneAlarm 3.1
Symantec Norton AntiVirus 2002

Reported:

Aug 02, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page