Norton DLL faking via 'SuiteOwners' protection bypass Vulnerability

[David Matousek <david () matousec com>]

Hello,

I would like to inform you about a vulnerability in the Norton Personal
Firewall component found by Matousec - Transparent security.

Description:

Norton protects its own registry keys against actions of other applications. This protection can be bypassed for 
registry key 'HKLM\SOFTWARE\Symantec\CCPD\SuiteOwners' using API functions RegSaveKey and RegRestoreKey. This registry 
key is also used to store some important information such us names of libraries, for example 'NISProd.dll'. Using 
RegSaveKey and RegRestoreKey a malicious application can modify values in 'SuiteOwners' such that Norton loads fake 
library into its own processes. A malicious code in the fake library can manipulate any Norton component and thus bypass 
every security protection of Norton.

Vulnerable software:

    * Norton Personal Firewall 2006 version 9.1.0.33
    * probably all versions of Norton Personal Firewall 2006 and Norton Internet Security 2006
    * possibly older versions of Norton Personal Firewall and Norton Internet Security

More details and proof of concept is available
here http://www.matousec.com/info/advisories/Norton-DLL-faking-via-SuiteOwners-protection-bypass.php

Regards,

--
David Matousek

Founder and Chief Representative of Matousec - Transparent security
http://www.matousec.com/