[HV-LOW] Symantec LiveUpdate issues may cause DoS

Date: 11/05/04

  • Next message: Jake Appelbaum: "[Full-Disclosure] Security Contact for T-Mobile?"
    Date: Thu, 4 Nov 2004 15:56:02 -0800
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com

    Hash: SHA1

    Symantec LiveUpdate issues may cause DoS

    Level: [LOW]-med-high-crit
    ID: HEXVIEW*2004*11*04*1
    URL: http://www.hexview.com/docs/20041104-1.txt

    Symantec LiveUpdate is an application designed to provide
    timely updates for Symantec products. LiveUpdate downloads
    zip-archived packages, decompresses them, verifies signatures,
    and finally installs the updates. HexView discovered two problems
    with LiveUpdate: decompression routine does not check for
    uncompressed file sizes and no validation is performed on
    directory names.

    Affected products:
    HexView tested the issue using LiveUpdate versions and running on Windows XP SP1. Probably all other LiveUpdate
    versions are vulnerable.

    Cause and Effect:
    After downloading ZIP archive off the website (either legitimate
    Symantec website or a spoofed one controlled by attacker)
    LiveUpdate starts decompressing a set of files it expects to
    find in an archive. LiveUpdate does not perform uncompressed file
    size validation, so it is possible to cause an effective DoS by
    forcing LiveUpdate to decompress an extremely large file that will
    consume all available hard drive space. This issue is known as
    "ZIP bombing".

    LiveUpdate also decompresses a directory tree without validation
    of directory names. Directory traversal is possible through ".."
    meaning that LiveUpdate can be forced to create a directory anywhere
    on the current disk. While LiveUpdate will not overwrite existing
    files, this issue can be exploited to mount a DoS attack against
    applications by creating a directory using the name of the file that
    victim application is expected to create. Once such directory is
    created, the application will fail to create the file which will
    cause unpredictable results.

    LiveUpdate 1.80.19 cleans up after itself, but it only deletes
    files, not directories. LiveUpdate 2.5.56 does not delete files
    when failure occurs.

    It is possible to repackage Symantec's legitimate archives so they
    will be cleanly processed by LiveUpdate and the fact of attack will
    not be noticed.

    Vendor Status:
    Symantec was notified on 2004-11-03. No response received.

    About HexView:
    HexView contributes to online security-related lists for almost a
    decade. The scope of our expertize spreads over Windows, Linux, Sun,
    MacOS platforms, network applications, and embedded devices. The chances
    are you read our advisories or disclosures. For more information visit

    This document may be freely distributed through any channels as long as
    the contents are kept unmodified. Commercial use of the information in
    the document is not allowed without written permission from HexView
    signed by our pgp key.

    HexView Disclosure Policy:
    HexView notifies vendors that have publicly available contact e-mail 24
    hours before disclosing any information to the public. If we are unable
    to find vendor's e-mail address or if no reply is received within 24
    hours, HexView will publish vulnerability notification including all
    technical details unless the issue is rated as "critical". If vendor
    does not reply within 72 hours, HexView may disclose all details for
    critical vulnerabilities as well.

    If vendor replies within the above mentioned time period, HexView will
    announce the vulnerability, but will not disclose the details required
    to reproduce it. HexView will also specify the date when full disclosure
    containing all the details will be published. The time period between
    announcement and full disclosure is 30 days unless there is an agreement
    with vendor and appropriate justification for extension. If vendor
    resolves the issue earlier than 30 days after announcement, HexView will
    publish full disclosure as soon as the fix is available to the public.

    HexView also reserves the right to publish any detail of any
    vulnerability at any time.

    Feedback and comments:
    Feedback and questions about this disclosure are welcome at

    Version: GnuPG v1.2.5 (GNU/Linux)

    -----END PGP SIGNATURE-----

  • Next message: Jake Appelbaum: "[Full-Disclosure] Security Contact for T-Mobile?"