[NT] Symantec LiveUpdate Decompression and Directory Names Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 11/17/04

  • Next message: SecuriTeam: "[NT] Icewarp Web Mail Multiple Vulnerabilities" 
    To: list@securiteam.com
Date: 17 Nov 2004 17:06:42 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Symantec LiveUpdate Decompression and Directory Names Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    Symantec LiveUpdate is an application designed to provides timely updates
    for Symantec products. LiveUpdate downloads zip-archived packages,
    decompresses them, verifies signatures, and finally installs the updates.
    HexView discovered two problems with LiveUpdate: decompression routine
    does not check for uncompressed file sizes and no validation is performed
    on directory names.

    DETAILS

    Affected products:
     * LiveUpdate versions 1.80.19.0 and 2.5.56.0

    After downloading ZIP archive off the website (either legitimate Symantec
    website or a spoofed one controlled by attacker) LiveUpdate starts
    decompressing a set of files it expects to find in an archive. LiveUpdate
    does not perform uncompressed file size validation, so it is possible to
    cause an effective DoS by forcing LiveUpdate to decompress an extremely
    large file that will consume all available hard drive space. This issue is
    known as "ZIP bombing".

    LiveUpdate also decompresses a directory tree without validation of
    directory names. Directory traversal is possible through ".." meaning that
    LiveUpdate can be forced to create a directory anywhere on the current
    disk. While LiveUpdate will not overwrite existing files, this issue can
    be exploited to mount a DoS attack against applications by creating a
    directory using the name of the file that victim application is expected
    to create. Once such directory is created, the application will fail to
    create the file which will cause unpredictable results.

    LiveUpdate 1.80.19 cleans up after itself, but it only deletes files, not
    directories. LiveUpdate 2.5.56 does not delete files
    when failure occurs.

    It is possible to repackage Symantec's legitimate archives so they will be
    cleanly processed by LiveUpdate and the fact of attack will not be
    noticed.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:vuln@hexview.com> HexView.
    The original article can be found at:
    <http://www.hexview.com/docs/20041104-1.txt>
    http://www.hexview.com/docs/20041104-1.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Icewarp Web Mail Multiple Vulnerabilities"