Advisory 2006-08-15.01

Norton DLL faking via 'SuiteOwners' protection bypass

Basic information:

Description:

Norton protects its own registry keys against actions of other applications. This protection can be bypassed for registry key 'HKLM\SOFTWARE\Symantec\CCPD\SuiteOwners' using API functions RegSaveKey and RegRestoreKey. This registry key is also used to store some important information such us names of libraries, for example 'NISProd.dll'. Using RegSaveKey and RegRestoreKey a malicious application can modify values in 'SuiteOwners' such that Norton loads fake library into its own processes. A malicious code in the fake library can manipulate any Norton component and thus bypass every security protection of Norton.

Vulnerable software:

• Norton Personal Firewall 2006 version 9.1.0.33
• probably all versions of Norton Personal Firewall 2006 and Norton Internet Security 2006
• possibly older versions of Norton Personal Firewall and Norton Internet Security

Events:

• 2006-08-21: Candidate for inclusion in the CVE list
• 2006-08-21: Vulnerability confirmed by popular information sources
• 2006-08-15: Advisory released
• 2006-08-15: Vendor notification

References:

• SecuriTeam - Windows NT Focus
• SecurityFocus Vulnerabilities
• National Vulnerability Database
• Common Vulnerabilities and Exposures
• Symantec Norton Personal Firewall

valid HTML 4.01 · valid CSS 2 · optimized for you · design by martina · powered by jan · generated on August 21, 2008