Secure Network Operations SNOsoft Research Team [SRT2004-12-14-0322] Symantec LiveUpdate Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Secure Network Operations, Inc.
http://www.secnetops.com/research
Strategic Reconnaissance Team
research[at]secnetops[.]com
Team Lead Contact JxT[at]secnetops[.]com
Spam Contact `rm -rf /`@snosoft.com
Who we are:
**********************************************************************
********
Secure Network Operations provides network security services that
ensure
safe, reliable and available network data, applications and access.
Our team of security professionals has successfully secured networks
and
applications for organizations in both the public and the private
sectors.
Customers benefit from proprietary analysis tools and processes that
identify
vulnerabilities and threats, resulting in secure network
architectures.
Secure Network Operations ensures customers' networks are as secure
as
possible with Vulnerability Audits, Penetration Tests, Strategic
Reconnaissance, Forensic Research and Custom Consulting services.
Customers networks will be secure due to the unique combination of
experience, proprietary tools and constant security research offered
by
Secure Network Operations.
Quick Summary:
**********************************************************************
********
Advisory Number : SRT2004-12-14-0322
Product : Symantec LiveUpdate
Version : Prior to version 2.5
Vendor :
http://symantec.com/techsupp/files/lu/lu.html
Class : Local
Criticality : High (to users of the below listed
products)
Products Affected : Symantec Windows LiveUpdate prior to v2.5
: Symantec Norton SystemWorks 2001-2005
: Symantec Norton AntiVirus 2001-2005
: Symantec Norton AntiVirus Pro 2001-2004
: Symantec Norton Internet Security 2001-2005
: Norton Internet Security Pro 2001-2004
: Symantec Norton AntiSpam 2005
: Symantec AntiVirus for Handhelds Retail and
Corporate Edition v3.0 Not Affected
: Symantec Windows LiveUpdate v2.5 and later
: Symantec Java LiveUpdate (all versions)
: Symantec Enterprise products (Symantec Enterprise
products do not support the Automatic
LiveUpdate
functionality with the exception of
Symantec
AntiVirus for Handhelds Corporate Edition
v3.0)
Operating System(s):
**********************************************************************
********
- Win32
Notice:
**********************************************************************
********
The full technical details of this vulnerability can be found at:
http://www.secnetops.com under the research section.
Basic Explanation:
**********************************************************************
********
High Level Description : LiveUpdate allows local users to become
SYSTEM
What to do : run LiveUpdate and apply latest patches.
Proof Of Concept Status:
**********************************************************************
********
Functional, Contact SNO for details.
Short Description:
**********************************************************************
********
Symantec Automatic LiveUpdate, a functionality included with many
Symantec
retail products as well as on Symantec AntiVirus for Handhelds Corp
v3.0, is
launched by the system scheduler on system startup and then
periodically after
startup. Symantec LiveUpdate can automatically check for available
updates
to any supported Symantec products installed on the system using a
scheduled
task call NetDetect.
Vulnerable versions of the Symantec Automatic LiveUpdate are
initially
launched at startup and were being assigned Local System privileges.
During
the period when an interactive LiveUpdate session is available, and
only during
this session, a non-privileged user could potentially manipulate
portions of
the LiveUpdate GUI Internet options configuration functionality to
gain elevated
privilege on the local host. For example, the non-privileged user
could gain
privileges to search and edit all system files, assume full
permission for directories
and files on the host, or create new user accounts on the local
system.
Additional Information:
**********************************************************************
********
If exploited effectively this issue would permit a non-privileged
user to gain
privileged access on the local host. Symantec has produced a list of
mitigating circumstances that reduce the risk of exploitation in the
Automatic
LiveUpdate feature.
Symantec Automatic LiveUpdate is only implemented in retail versions
of
Symantec products with the exception of Symantec AntiVirus for
Handhelds
Corporate Edition v3.0. This version uses Symantec Automatic
LiveUpdate to
check for essential updates when connected to the network.
The system is vulnerable only when the interactive LiveUpdate
capability is
activated and configured with the option to notify the user when
updates are
available. Single user systems are not a the same risk factor as
multi-user
systems in shared environments. Shared computers in university or
office type
environments with restricted or non-privileged user access are at
high risk.
Vendor Status:
**********************************************************************
********
Symantec was notified of the vulnerability and fixes are available
via
LiveUpdate. Secure Network Operations thanks Symantec for being
friendly
and approachable during this advisory research and release process.
BugTraq URL:
**********************************************************************
********
To be assigned.
CVE candidate :
**********************************************************************
********
To be assigned
Disclaimer
**********************************************************************
********
This advisory was released by Secure Network Operations,Inc. as a
matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer
released
in our advisories but can be obtained under contract. Contact our
sales
department at sales[at]secnetops[.]com for further information on how
to
obtain proof of concept code.
Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."
Regards,
Secure Network Operations, Inc.
SNOsoft Research Team
http://www.secnetops.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
Comment: http://www.secnetops.com
iQA/AwUBQb4Jgtelv6NS+TQWEQIpugCgvG7dcjbLARzhqUozIHVJN+mJwAIAn2sR
C97CK6HiJSG3p425HIlXw1Mh
=tCLz
-----END PGP SIGNATURE-----
Secure Network Operations, Inc. http://www.secnetops.com/research
Strategic Reconnaissance Team research[at]secnetops[.]com
Team Lead Contact JxT[at]secnetops[.]com
Spam Contact `rm -rf /`@snosoft.com
Who we are:
******************************************************************************
Secure Network Operations provides network security services that ensure
safe, reliable and available network data, applications and access.
Our team of security professionals has successfully secured networks and
applications for organizations in both the public and the private sectors.
Customers benefit from proprietary analysis tools and processes that identify
vulnerabilities and threats, resulting in secure network architectures.
Secure Network Operations ensures customers' networks are as secure as
possible with Vulnerability Audits, Penetration Tests, Strategic
Reconnaissance, Forensic Research and Custom Consulting services.
Customers networks will be secure due to the unique combination of
experience, proprietary tools and constant security research offered by
Secure Network Operations.
Quick Summary:
******************************************************************************
Advisory Number : SRT2004-12-14-0322
Product : Symantec LiveUpdate
Version : Prior to version 2.5
Vendor : http://symantec.com/techsupp/files/lu/lu.html
Class : Local
Criticality : High (to users of the below listed products)
Products Affected : Symantec Windows LiveUpdate prior to v2.5
: Symantec Norton SystemWorks 2001-2005
: Symantec Norton AntiVirus 2001-2005
: Symantec Norton AntiVirus Pro 2001-2004
: Symantec Norton Internet Security 2001-2005
: Norton Internet Security Pro 2001-2004
: Symantec Norton AntiSpam 2005
: Symantec AntiVirus for Handhelds Retail and
Corporate Edition v3.0 Not Affected
: Symantec Windows LiveUpdate v2.5 and later
: Symantec Java LiveUpdate (all versions)
: Symantec Enterprise products (Symantec Enterprise
products do not support the Automatic LiveUpdate
functionality with the exception of Symantec
AntiVirus for Handhelds Corporate Edition v3.0)
Operating System(s):
******************************************************************************
- Win32
Notice:
******************************************************************************
The full technical details of this vulnerability can be found at:
http://www.secnetops.com under the research section.
Basic Explanation:
******************************************************************************
High Level Description : LiveUpdate allows local users to become SYSTEM
What to do : run LiveUpdate and apply latest patches.
Proof Of Concept Status:
******************************************************************************
Functional, Contact SNO for details.
Short Description:
******************************************************************************
Symantec Automatic LiveUpdate, a functionality included with many Symantec
retail products as well as on Symantec AntiVirus for Handhelds Corp v3.0, is
launched by the system scheduler on system startup and then periodically after
startup. Symantec LiveUpdate can automatically check for available updates
to any supported Symantec products installed on the system using a scheduled
task call NetDetect.
Vulnerable versions of the Symantec Automatic LiveUpdate are initially
launched at startup and were being assigned Local System privileges. During
the period when an interactive LiveUpdate session is available, and only during
this session, a non-privileged user could potentially manipulate portions of
the LiveUpdate GUI Internet options configuration functionality to gain elevated
privilege on the local host. For example, the non-privileged user could gain
privileges to search and edit all system files, assume full permission for
directories
and files on the host, or create new user accounts on the local system.
Additional Information:
******************************************************************************
If exploited effectively this issue would permit a non-privileged user to gain
privileged access on the local host. Symantec has produced a list of
mitigating circumstances that reduce the risk of exploitation in the Automatic
LiveUpdate feature.
Symantec Automatic LiveUpdate is only implemented in retail versions of
Symantec products with the exception of Symantec AntiVirus for Handhelds
Corporate Edition v3.0. This version uses Symantec Automatic LiveUpdate to
check for essential updates when connected to the network.
The system is vulnerable only when the interactive LiveUpdate capability is
activated and configured with the option to notify the user when updates are
available. Single user systems are not a the same risk factor as multi-user
systems in shared environments. Shared computers in university or office type
environments with restricted or non-privileged user access are at high risk.
Vendor Status:
******************************************************************************
Symantec promptly attended to the issue and was very responsive during all
phases of discovery / research and patching.
Fixes are now available via LiveUpdate.
Bugtraq URL:
******************************************************************************
To be assigned.
CVE candidate :
******************************************************************************
To be assigned
Disclaimer
******************************************************************************
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories but can be obtained under contract. Contact our sales
department at sales[at]secnetops[.]com for further information on how to
obtain proof of concept code.
Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."