Re: [Full-Disclosure] Trivial Bug in Symantec Security Products

From: Barrie Dempster (barrie_at_reboot-robot.net)
Date: 12/30/04

  • Next message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2005:001 - Updated libtiff packages fix multiple vulnerabilities" 
    To: full-disclosure@lists.netsys.com
Date: Thu, 30 Dec 2004 09:48:46 +0000

    On Wed, 2004-12-29 at 17:56 -0500, J. Oquendo wrote:
    <snip>
    > III SOLUTION
    > Symantec could rewrite their updates to include a timer, or check via
    > atomic clock. Other options include informing their customers not to
    > commit the evil act of modifying the dates on their computers.
    <snip>

    Inadequate solutions:
    1. Rewrite the updates to include a timer - the downloaded update could
    be modified and the timer changed. Even if the update is encrypted or
    checksum'd the decryption algorithm/key would have to be in the users
    product so could easily be reverse engineered.

    2.Check date via an atomic clock - sticking a fake IP for the clock
    domain name into the hosts file or creating a fake local response to the
    time request would overcome this.

    The true solution would be a completely server side check, such as a
    user/pass combination with the details stored on Symantec's servers and
    the downloads blocked by http authentication using these credentials
    (which expire at subscription end). The only real work arounds for this
    are to compromise the account of another user or the servers themselves.

    When auditing and disclosing a bad solution in a product it's a good
    idea to research your solution to ensure it doesn't contain easily
    exploitable vulnerabilities. Nonetheless Symatec might want to address
    this in order to keep that stock price up. :-)
     
    With Regards..
    Barrie Dempster (zeedo) - Fortiter et Strenue

      http://www.bsrf.org.uk

    [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2005:001 - Updated libtiff packages fix multiple vulnerabilities"

    Relevant Pages

    • Re: Threading - Is this Ok?
      ... with the web part showing status updates until it's finished.. ... panel using a Timer control. ... simultaneous users and the code takes 100 seconds to execute. ... I think you can put Status into Session state and pass Session to a ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: web app that monitors and automatically updates..
      ... you could do a similar thing, set a timer in the page, this timer call a ... "vermon" wrote in message ... > Is there any way to make a web app that updates automatically when the ... An example would be a web mail interface that ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: Thread related design advice please
      ... Could I use two forms timers, one to handle the DB query and one to handle ... ie Thread 1 updates retrieves DB records and saves them away in the 'queue', ... Should I create a worker thread that encapsulates a timer, ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: itimer oddness in 2.6.12
      ... >>timestamp on an itimer and it expects the signal to be delivered at roughly ... actual interval retrieved by getitimer to set a global timer delta. ... it updates the notion of the current time by the timer delta. ...
      (Linux-Kernel)
    • Re: Files no longer registered or installed to update????
      ... Download Updates Again YEAH!! ... You receive a "0x8007041D" error when you visit the Windows Update Web site ... Mila <snip> ...
      (microsoft.public.windowsupdate)