CVE-2007-3673 in Norton_internet_security
Summary
by MITRE
Symantec symtdi.sys before 7.0.0, as distributed in Symantec AntiVirus Corporate Edition 9 through 10.1 and Client Security 2.0 through 3.1, Norton AntiSpam 2005, and Norton AntiVirus, Internet Security, Personal Firewall, and System Works 2005 and 2006; allows local users to gain privileges via a crafted Interrupt Request Packet (Irp) in an IOCTL 0x83022323 request to \\symTDI\, which results in memory overwrite.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/07/2025
This vulnerability exists in Symantec's symtdi.sys kernel driver component affecting multiple security products including AntiVirus Corporate Edition 9 through 10.1, Client Security 2.0 through 3.1, and various Norton security suites from 2005 and 2006. The flaw manifests when the driver processes a specially crafted Interrupt Request Packet (Irp) through IOCTL 0x83022323 request directed to the \symTDI\ device interface. This represents a classic kernel-mode buffer overflow vulnerability that allows local privilege escalation attacks. The vulnerability falls under CWE-121, which describes stack-based buffer overflow conditions, though the specific implementation involves kernel memory corruption rather than stack-based issues. The affected driver component is part of Symantec's network traffic monitoring and filtering infrastructure, making it a critical system component that operates at the kernel level.
The technical exploitation mechanism relies on the improper validation of input parameters within the IOCTL handling routine of the symtdi.sys driver. When a local user submits a crafted IRP request with the specific IOCTL code 0x83022323 to the \symTDI\ device, the driver fails to properly bounds-check the input data before copying it into kernel memory buffers. This allows an attacker to overwrite adjacent memory locations, potentially corrupting critical kernel data structures or executing arbitrary code with kernel-level privileges. The vulnerability is particularly dangerous because it requires only local user access to exploit, meaning any user account on the system can potentially leverage this flaw to escalate their privileges to SYSTEM level. The attack vector aligns with ATT&CK technique T1068 which covers 'Local Port Forwarding' and T1059.003 which covers 'Command and Scripting Interpreter: Windows Command Shell', as the exploitation typically involves local execution and privilege escalation techniques.
The operational impact of this vulnerability is severe as it provides a path for local privilege escalation that can be exploited by malware or malicious users with basic system access. Once successfully exploited, attackers can gain complete control over the affected system, potentially leading to full system compromise, data exfiltration, or use as a pivot point for attacking other systems within the network. The vulnerability affects a wide range of Symantec products that were prevalent in enterprise environments during the mid-2000s, making it a significant concern for organizations that had not yet updated their security software. The memory overwrite condition could lead to system crashes, data corruption, or more insidiously, allow attackers to implant persistent backdoors that remain undetected by standard security measures. This vulnerability demonstrates the critical importance of proper kernel-mode input validation and the potential consequences of insufficient bounds checking in system-level drivers, which is a fundamental principle in secure coding practices and aligns with security standards such as those outlined in the CERT/CC secure coding guidelines and NIST SP 800-144 for secure software development lifecycle practices. Organizations should immediately apply the vendor patches released by Symantec and consider implementing additional security controls to monitor for suspicious kernel-level activity that might indicate exploitation attempts against similar vulnerabilities.