Vulnerability Name:

CVE-2006-4927 (CCN-29360)

Assigned:2006-10-05
Published:2006-10-05
Updated:2018-10-17
Summary:The (a) NAVENG (NAVENG.SYS) and (b) NAVEX15 (NAVEX15.SYS) device drivers 20061.3.0.12 and later, as used in Symantec AntiVirus and security products, allow local users to gain privileges by overwriting critical system addresses using a crafted Irp to the IOCTL functions (1) 0x222AD3, (2) 0x222AD7, and (3) 0x222ADB.
Update 20061.3.0.12 has been released by the vendor for each vulnerable driver.
Additionally, an update to the virus definitions (October 4, 2006 revision 9 or later) is required.
CVSS v3 Severity:9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:4.6 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.4 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.3 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Privileges
References:Source: CCN
Type: BugTraq Mailing List, Thu Oct 05 2006 - 17:05:50 CDT
[Reversemode Advisory] Symantec Antivirus Engine Privilege Escalation

Source: MITRE
Type: CNA
CVE-2006-4927

Source: CCN
Type: SA22288
Symantec Products IOCTL Handler Privilege Escalation

Source: SECUNIA
Type: Patch, Vendor Advisory
22288

Source: SREASON
Type: UNKNOWN
1690

Source: CCN
Type: SECTRACK ID: 1016994
Norton Anti-Virus NAVEX15/NAVENG Device Drivers Let Local Users Gain Kernel Level Privileges

Source: SECTRACK
Type: Exploit, Patch
1016994

Source: CCN
Type: SECTRACK ID: 1016995
Norton Internet Security NAVEX15/NAVENG Device Drivers Let Local Users Gain Kernel Level Privileges

Source: SECTRACK
Type: Exploit, Patch
1016995

Source: CCN
Type: SECTRACK ID: 1016996
Norton System Works NAVEX15/NAVENG Device Drivers Let Local Users Gain Kernel Level Privileges

Source: SECTRACK
Type: Exploit, Patch
1016996

Source: CCN
Type: SECTRACK ID: 1016997
Symantec Anti Virus NAVEX15/NAVENG Device Drivers Let Local Users Gain Kernel Level Privileges

Source: SECTRACK
Type: Exploit, Patch
1016997

Source: CCN
Type: SECTRACK ID: 1016998
Symantec Web Security NAVEX15/NAVENG Device Drivers Let Local Users Gain Kernel Level Privileges

Source: SECTRACK
Type: Exploit, Patch
1016998

Source: CCN
Type: SECTRACK ID: 1016999
Symantec Scan Engine NAVEX15/NAVENG Device Drivers Let Local Users Gain Kernel Level Privileges

Source: SECTRACK
Type: Exploit, Patch
1016999

Source: CCN
Type: SECTRACK ID: 1017000
Symantec Brightmail NAVEX15/NAVENG Device Drivers Let Local Users Gain Kernel Level Privileges

Source: SECTRACK
Type: Exploit, Patch
1017000

Source: CCN
Type: SECTRACK ID: 1017001
Symantec Mail Security NAVEX15/NAVENG Device Drivers Let Local Users Gain Kernel Level Privileges

Source: SECTRACK
Type: Exploit, Patch
1017001

Source: CCN
Type: SECTRACK ID: 1017002
Symantec Client Security NAVEX15/NAVENG Device Drivers Let Local Users Gain Kernel Level Privileges

Source: SECTRACK
Type: Exploit, Patch
1017002

Source: IDEFENSE
Type: Patch, Vendor Advisory
20061005 Symantec AntiVirus IOCTL Kernel Privilege Escalation Vulnerability

Source: CCN
Type: US-CERT VU#946820
Symantec products fail to properly limit device driver access to kernel memory

Source: CERT-VN
Type: US Government Resource
VU#946820

Source: CCN
Type: OSVDB ID: 29583
Symantec Multiple Products IOCTL Functions Crafted Irp Local Privilege Escalation

Source: BUGTRAQ
Type: UNKNOWN
20061005 [Reversemode Advisory] Symantec Antivirus Engine Privilege Escalation

Source: BID
Type: Exploit, Patch
20360

Source: CCN
Type: BID-20360
Symantec AntiVirus IOCTL Kernel Privilege Escalation Vulnerability

Source: CCN
Type: SYM06-020
Symantec Device Driver Elevation of Privilege

Source: CONFIRM
Type: Patch
http://www.symantec.com/avcenter/security/Content/2006.10.05a.html

Source: VUPEN
Type: UNKNOWN
ADV-2006-3928

Source: XF
Type: UNKNOWN
symantec-ioctl-privilege-escalation(29360)

Source: XF
Type: UNKNOWN
symantec-ioctl-privilege-escalation(29360)

Source: CCN
Type: iDEFENSE ADVISORY: 10.05.06
Symantec AntiVirus IOCTL Kernel Privilege Escalation Vulnerability

Vulnerable Configuration:Configuration 1:
  • cpe:/a:symantec:naveng_driver:*:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:navex15_driver:*:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:symantec:norton_antivirus:*:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:norton_internet_security:*:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:brightmail_antispam:-:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:client_security:-:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:mail_security:4.0.1::domino:*:*:*:*:*
  • OR cpe:/a:symantec:symantec_mail_security_exchange:4.6.5.12:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:mail_security:4.0.2::smtp:*:*:*:*:*
  • OR cpe:/a:symantec:scan_engine:-:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:web_security:-:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:antivirus:10.0.1.1::corporate:*:*:*:*:*
  • OR cpe:/a:symantec:norton_system_works:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    symantec naveng driver *
    symantec navex15 driver *
    symantec norton antivirus *
    symantec norton internet security *
    symantec brightmail antispam -
    symantec client security -
    symantec mail security 4.0.1
    symantec symantec mail security exchange 4.6.5.12
    symantec mail security 4.0.2
    symantec scan engine -
    symantec web security -
    symantec antivirus 10.0.1.1
    symantec norton system works -