Dec 10, 2008

Bypassing Norton Antivirus "Product Tamper Protection"

What's Norton Product Tamper Protection? It's a security setting on Norton Antivirus that "Lets you protect your Norton product from an attack or modification by unknown, suspicious, or threatening applications", the option is enabled by default. Basically it protects NAV processes so other processes can't access them (debug, inject code, modify thread execution, etc.), it doesn't matter that current user has permission on them he won't be able to access Norton Antivirus processes.

Without doing much research I guess NAV intercepts Native API calls and return access denied when trying to open a NAV process or thread with dangerous access options. The problem is that NAV forgot to also protect other process objects such as shared sections, LPC ports, etc., so an attacker can put code in a shared section and then make the process jump to the injected code, lets see how to do it.

Injecting and running code on NAV GUI process:
When pressing F1 or accessing NAV GUI help, Windows HTML Help is loaded, NAV GUI process uses HTML Help ActiveX so no new process is created. When the HTML Help is loaded a shared section named \BaseNamedObjects\DfSharedHeapXXXXXX (where XXXXXX are hex numbers) is created, this particular shared section is related with a vulnerability I found long time ago (http://www.argeniss.com/research/SSExploit.c) where besides the shared section being created on user process it was also created in a privileged process under certain circumstances, this shared section has pointers saved so it was possible to overwrite them and make the process to execute arbitrary code elevating privileges (http://www.argeniss.com/research/hackwininter.zip). Microsoft fixed this issue (http://www.microsoft.com/technet/security/bulletin/MS05-012.mspx) by avoiding the creation of the shared section on privileged processes, so there isn't elevation of privileges anymore but you still can overwrite the data in the shared section of course you will only be able to execute code in a process you already own, but in this case this issue can be used to bypass NAV process protection since you will be able to modify NAV GUI process and run arbitrary code inside it.

This is not big deal but it shows that sometimes some protections are useless when they are not properly audited and a simple and known issue can be used to bypass them.

Enjoy.

1 comment:

Hector Macias said...

Just think, NAV is supossed to proyect you and TP is suppossed to protect NAV but it depends on the same definitions as NAV, what warrant is that? What if theyre not updated, I personally think its meant to block software like Norton Trial Reset, rather than any other kind of malware, otherwise the NAV itself would be useless. And how come Im able to disable it with such an ease as sliding the indicator to off?