<<< Date Index >>>     <<< Thread Index >>>

Secure Network Operations SNOsoft Research Team [SRT2004-12-14-0322] Symantec LiveUpdate Advisory



 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Secure Network Operations, Inc.            
http://www.secnetops.com/research
Strategic Reconnaissance Team              
research[at]secnetops[.]com
Team Lead Contact                           JxT[at]secnetops[.]com
Spam Contact                               `rm -rf /`@snosoft.com

Who we are:
**********************************************************************
********
Secure Network Operations provides network security services that
ensure 
safe, reliable and available network data, applications and access.  
Our team of security professionals has successfully secured networks
and 
applications for organizations in both the public and the private
sectors.  
Customers benefit from proprietary analysis tools and processes that
identify 
vulnerabilities and threats, resulting in secure network
architectures.  

Secure Network Operations ensures customers' networks are as secure
as 
possible with Vulnerability Audits, Penetration Tests, Strategic 
Reconnaissance, Forensic Research and Custom Consulting services.  
Customers networks will be secure due to the unique combination of 
experience, proprietary tools and constant security research offered
by
Secure Network Operations.

Quick Summary:
**********************************************************************
********
Advisory Number         : SRT2004-12-14-0322

Product                 : Symantec LiveUpdate

Version                 : Prior to version 2.5

Vendor                  :
http://symantec.com/techsupp/files/lu/lu.html

Class                   : Local

Criticality             : High (to users of the below listed
products)

Products Affected       : Symantec Windows LiveUpdate prior to v2.5
                        : Symantec Norton SystemWorks 2001-2005
                        : Symantec Norton AntiVirus 2001-2005
                        : Symantec Norton AntiVirus Pro 2001-2004
                        : Symantec Norton Internet Security 2001-2005
                        : Norton Internet Security Pro 2001-2004
                        : Symantec Norton AntiSpam 2005
                        : Symantec AntiVirus for Handhelds Retail and 
                          Corporate Edition v3.0 Not Affected
                        : Symantec Windows LiveUpdate v2.5 and later
                        : Symantec Java LiveUpdate (all versions)
                        : Symantec Enterprise products (Symantec Enterprise 
                          products do not support the Automatic
LiveUpdate
                          functionality with the exception of
Symantec 
                          AntiVirus for Handhelds Corporate Edition
v3.0)


Operating System(s):  
**********************************************************************
********
        - Win32


Notice:
**********************************************************************
********
The full technical details of this vulnerability can be found at:
http://www.secnetops.com under the research section. 


Basic Explanation:
**********************************************************************
********
High Level Description  : LiveUpdate allows local users to become
SYSTEM
What to do              : run LiveUpdate and apply latest patches. 


Proof Of Concept Status:  
**********************************************************************
********
Functional, Contact SNO for details. 


Short Description:
**********************************************************************
********
Symantec Automatic LiveUpdate, a functionality included with many
Symantec 
retail products as well as on Symantec AntiVirus for Handhelds Corp
v3.0, is 
launched by the system scheduler on system startup and then
periodically after 
startup.  Symantec  LiveUpdate can automatically check for available
updates 
to any supported Symantec products installed on the system using a
scheduled 
task call NetDetect.  

Vulnerable versions of the Symantec Automatic LiveUpdate are
initially 
launched at startup and were being assigned Local System privileges. 
During 
the period when an interactive LiveUpdate session is available, and
only during 
this session, a non-privileged user could potentially manipulate
portions of 
the LiveUpdate GUI Internet options configuration functionality to
gain elevated
privilege on the local host.  For example, the non-privileged user
could gain
privileges to search and edit all system files, assume full
permission for directories 
and files on the host, or create new user accounts on the local
system.


Additional Information:
**********************************************************************
********
If exploited effectively this issue would permit a non-privileged
user to gain 
privileged access on the local host. Symantec has produced a list of 
mitigating circumstances that reduce the risk of exploitation in the
Automatic
LiveUpdate feature. 

Symantec Automatic LiveUpdate is only implemented in retail versions
of 
Symantec products with the exception of Symantec AntiVirus for
Handhelds 
Corporate Edition v3.0. This version uses Symantec Automatic
LiveUpdate to 
check for essential updates when connected to the network. 

The system is vulnerable only when the interactive LiveUpdate
capability is 
activated and configured with the option to notify the user when
updates are 
available. Single user systems are not a the same risk factor as
multi-user 
systems in shared environments. Shared computers in university or
office type
environments with restricted or non-privileged user access are at
high risk.


Vendor Status: 
**********************************************************************
********
Symantec was notified of the vulnerability and fixes are available
via 
LiveUpdate. Secure Network Operations thanks Symantec for being
friendly
and approachable during this advisory research and release process.


BugTraq URL:
**********************************************************************
********
To be assigned. 


CVE candidate : 
**********************************************************************
********
To be assigned


Disclaimer
**********************************************************************
********
This advisory was released by Secure Network Operations,Inc. as a
matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer
released
in our advisories but can be obtained under contract. Contact our
sales 
department at sales[at]secnetops[.]com for further information on how
to 
obtain proof of concept code.

Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."



Regards,  
        Secure Network Operations, Inc.
        SNOsoft Research Team
        http://www.secnetops.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
Comment: http://www.secnetops.com

iQA/AwUBQb4Jgtelv6NS+TQWEQIpugCgvG7dcjbLARzhqUozIHVJN+mJwAIAn2sR
C97CK6HiJSG3p425HIlXw1Mh
=tCLz
-----END PGP SIGNATURE-----
 
Secure Network Operations, Inc.             http://www.secnetops.com/research
Strategic Reconnaissance Team               research[at]secnetops[.]com
Team Lead Contact                           JxT[at]secnetops[.]com
Spam Contact                               `rm -rf /`@snosoft.com

Who we are:
******************************************************************************
Secure Network Operations provides network security services that ensure 
safe, reliable and available network data, applications and access.  
Our team of security professionals has successfully secured networks and 
applications for organizations in both the public and the private sectors.  
Customers benefit from proprietary analysis tools and processes that identify 
vulnerabilities and threats, resulting in secure network architectures.  

Secure Network Operations ensures customers' networks are as secure as 
possible with Vulnerability Audits, Penetration Tests, Strategic 
Reconnaissance, Forensic Research and Custom Consulting services.  
Customers networks will be secure due to the unique combination of 
experience, proprietary tools and constant security research offered by
Secure Network Operations.

Quick Summary:
******************************************************************************
Advisory Number         : SRT2004-12-14-0322

Product                 : Symantec LiveUpdate

Version                 : Prior to version 2.5

Vendor                  : http://symantec.com/techsupp/files/lu/lu.html

Class                   : Local

Criticality             : High (to users of the below listed products)

Products Affected       : Symantec Windows LiveUpdate prior to v2.5
                        : Symantec Norton SystemWorks 2001-2005
                        : Symantec Norton AntiVirus 2001-2005
                        : Symantec Norton AntiVirus Pro 2001-2004
                        : Symantec Norton Internet Security 2001-2005
                        : Norton Internet Security Pro 2001-2004
                        : Symantec Norton AntiSpam 2005
                        : Symantec AntiVirus for Handhelds Retail and 
                          Corporate Edition v3.0 Not Affected
                        : Symantec Windows LiveUpdate v2.5 and later
                        : Symantec Java LiveUpdate (all versions)
                        : Symantec Enterprise products (Symantec Enterprise 
                          products do not support the Automatic LiveUpdate
                          functionality with the exception of Symantec 
                          AntiVirus for Handhelds Corporate Edition v3.0)


Operating System(s):  
******************************************************************************
        - Win32


Notice:
******************************************************************************
The full technical details of this vulnerability can be found at:
http://www.secnetops.com under the research section. 


Basic Explanation:
******************************************************************************
High Level Description  : LiveUpdate allows local users to become SYSTEM
What to do              : run LiveUpdate and apply latest patches. 


Proof Of Concept Status:  
******************************************************************************
Functional, Contact SNO for details. 


Short Description:
******************************************************************************
Symantec Automatic LiveUpdate, a functionality included with many Symantec 
retail products as well as on Symantec AntiVirus for Handhelds Corp v3.0, is 
launched by the system scheduler on system startup and then periodically after 
startup.  Symantec  LiveUpdate can automatically check for available updates 
to any supported Symantec products installed on the system using a scheduled 
task call NetDetect.  

Vulnerable versions of the Symantec Automatic LiveUpdate are initially 
launched at startup and were being assigned Local System privileges.  During 
the period when an interactive LiveUpdate session is available, and only during 
this session, a non-privileged user could potentially manipulate portions of 
the LiveUpdate GUI Internet options configuration functionality to gain elevated
privilege on the local host.  For example, the non-privileged user could gain
privileges to search and edit all system files, assume full permission for 
directories 
and files on the host, or create new user accounts on the local system.


Additional Information:
******************************************************************************
If exploited effectively this issue would permit a non-privileged user to gain 
privileged access on the local host. Symantec has produced a list of 
mitigating circumstances that reduce the risk of exploitation in the Automatic
LiveUpdate feature. 

Symantec Automatic LiveUpdate is only implemented in retail versions of 
Symantec products with the exception of Symantec AntiVirus for Handhelds 
Corporate Edition v3.0. This version uses Symantec Automatic LiveUpdate to 
check for essential updates when connected to the network. 

The system is vulnerable only when the interactive LiveUpdate capability is 
activated and configured with the option to notify the user when updates are 
available. Single user systems are not a the same risk factor as multi-user 
systems in shared environments. Shared computers in university or office type
environments with restricted or non-privileged user access are at high risk.


Vendor Status: 
******************************************************************************
Symantec promptly attended to the issue and was very responsive during all 
phases of discovery / research and patching. 
Fixes are now available via LiveUpdate. 


Bugtraq URL:
******************************************************************************
To be assigned. 


CVE candidate : 
******************************************************************************
To be assigned


Disclaimer
******************************************************************************
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories but can be obtained under contract. Contact our sales 
department at sales[at]secnetops[.]com for further information on how to 
obtain proof of concept code.

Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."