Symantec Norton AntiVirus Device Driver Privilege Escalation Release Date: 2003-08-06 Critical: Less critical Impact: Privilege escalation DoS Where: Local system Software: Norton AntiVirus 2002 Description: A vulnerability has been reported in Symantec Norton AntiVirus, which can be exploited by malicious, local users to escalate their privileges on a vulnerable system or cause it to crash. The vulnerability is caused due to an error in the Norton AntiVirus Device Driver (NAVAP.sys). This can be exploited by sending two specially crafted control codes using the DeviceIoControl() function, which request the device driver to perform certain operations. The first control code will supply specially crafted input to the requested operation via the lpInBuffer, which then returns output to the memory location specified by the lpOutBuffer. The memory contents in this location can then be changed to include arbitrary shellcode. Afterwards, the second control code can manipulate the drivers return address making it jump to the memory location previously specified by the lpOutBuffer. Successful exploitation either crashes the system or allows execution of arbitrary code with Kernel Mode (Ring 0) privileges. The vulnerability has been reported in version 2002. However, other versions are possibly also affected. Solution: Grant only trusted users access to affected systems.