Secure Network Operations SNOsoft Research Team [SRT2004-12-14-0322] Symantec LiveUpdate Advisory

From: Secure Network Operations, Inc. (advisory_at_secnetops.com)
Date: 12/13/04

  • Next message: Dragos Ruiu: "What's "may have exploitable buffer overflows" mean in tcpdump?"
    To: <bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>
    Date: Mon, 13 Dec 2004 16:28:34 -0500
    
    
    

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Secure Network Operations, Inc.
    http://www.secnetops.com/research
    Strategic Reconnaissance Team
    research[at]secnetops[.]com
    Team Lead Contact JxT[at]secnetops[.]com
    Spam Contact `rm -rf /`@snosoft.com

    Who we are:
    **********************************************************************
    ********
    Secure Network Operations provides network security services that
    ensure
    safe, reliable and available network data, applications and access.
    Our team of security professionals has successfully secured networks
    and
    applications for organizations in both the public and the private
    sectors.
    Customers benefit from proprietary analysis tools and processes that
    identify
    vulnerabilities and threats, resulting in secure network
    architectures.

    Secure Network Operations ensures customers' networks are as secure
    as
    possible with Vulnerability Audits, Penetration Tests, Strategic
    Reconnaissance, Forensic Research and Custom Consulting services.
    Customers networks will be secure due to the unique combination of
    experience, proprietary tools and constant security research offered
    by
    Secure Network Operations.

    Quick Summary:
    **********************************************************************
    ********
    Advisory Number : SRT2004-12-14-0322

    Product : Symantec LiveUpdate

    Version : Prior to version 2.5

    Vendor :
    http://symantec.com/techsupp/files/lu/lu.html

    Class : Local

    Criticality : High (to users of the below listed
    products)

    Products Affected : Symantec Windows LiveUpdate prior to v2.5
                            : Symantec Norton SystemWorks 2001-2005
                            : Symantec Norton AntiVirus 2001-2005
                            : Symantec Norton AntiVirus Pro 2001-2004
                            : Symantec Norton Internet Security 2001-2005
                            : Norton Internet Security Pro 2001-2004
                            : Symantec Norton AntiSpam 2005
                            : Symantec AntiVirus for Handhelds Retail and
                              Corporate Edition v3.0 Not Affected
                            : Symantec Windows LiveUpdate v2.5 and later
                            : Symantec Java LiveUpdate (all versions)
                            : Symantec Enterprise products (Symantec Enterprise
                              products do not support the Automatic
    LiveUpdate
                              functionality with the exception of
    Symantec
                              AntiVirus for Handhelds Corporate Edition
    v3.0)

    Operating System(s):
    **********************************************************************
    ********
            - Win32

    Notice:
    **********************************************************************
    ********
    The full technical details of this vulnerability can be found at:
    http://www.secnetops.com under the research section.

    Basic Explanation:
    **********************************************************************
    ********
    High Level Description : LiveUpdate allows local users to become
    SYSTEM
    What to do : run LiveUpdate and apply latest patches.

    Proof Of Concept Status:
    **********************************************************************
    ********
    Functional, Contact SNO for details.

    Short Description:
    **********************************************************************
    ********
    Symantec Automatic LiveUpdate, a functionality included with many
    Symantec
    retail products as well as on Symantec AntiVirus for Handhelds Corp
    v3.0, is
    launched by the system scheduler on system startup and then
    periodically after
    startup. Symantec LiveUpdate can automatically check for available
    updates
    to any supported Symantec products installed on the system using a
    scheduled
    task call NetDetect.

    Vulnerable versions of the Symantec Automatic LiveUpdate are
    initially
    launched at startup and were being assigned Local System privileges.
    During
    the period when an interactive LiveUpdate session is available, and
    only during
    this session, a non-privileged user could potentially manipulate
    portions of
    the LiveUpdate GUI Internet options configuration functionality to
    gain elevated
    privilege on the local host. For example, the non-privileged user
    could gain
    privileges to search and edit all system files, assume full
    permission for directories
    and files on the host, or create new user accounts on the local
    system.

    Additional Information:
    **********************************************************************
    ********
    If exploited effectively this issue would permit a non-privileged
    user to gain
    privileged access on the local host. Symantec has produced a list of
    mitigating circumstances that reduce the risk of exploitation in the
    Automatic
    LiveUpdate feature.

    Symantec Automatic LiveUpdate is only implemented in retail versions
    of
    Symantec products with the exception of Symantec AntiVirus for
    Handhelds
    Corporate Edition v3.0. This version uses Symantec Automatic
    LiveUpdate to
    check for essential updates when connected to the network.

    The system is vulnerable only when the interactive LiveUpdate
    capability is
    activated and configured with the option to notify the user when
    updates are
    available. Single user systems are not a the same risk factor as
    multi-user
    systems in shared environments. Shared computers in university or
    office type
    environments with restricted or non-privileged user access are at
    high risk.

    Vendor Status:
    **********************************************************************
    ********
    Symantec was notified of the vulnerability and fixes are available
    via
    LiveUpdate. Secure Network Operations thanks Symantec for being
    friendly
    and approachable during this advisory research and release process.

    BugTraq URL:
    **********************************************************************
    ********
    To be assigned.

    CVE candidate :
    **********************************************************************
    ********
    To be assigned

    Disclaimer
    **********************************************************************
    ********
    This advisory was released by Secure Network Operations,Inc. as a
    matter
    of notification to help administrators protect their networks against
    the described vulnerability. Exploit source code is no longer
    released
    in our advisories but can be obtained under contract. Contact our
    sales
    department at sales[at]secnetops[.]com for further information on how
    to
    obtain proof of concept code.

    Secure Network Operations, Inc. || http://www.secnetops.com
    "Embracing the future of technology, protecting you."

    Regards,
            Secure Network Operations, Inc.
            SNOsoft Research Team
            http://www.secnetops.com

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1
    Comment: http://www.secnetops.com

    iQA/AwUBQb4Jgtelv6NS+TQWEQIpugCgvG7dcjbLARzhqUozIHVJN+mJwAIAn2sR
    C97CK6HiJSG3p425HIlXw1Mh
    =tCLz
    -----END PGP SIGNATURE-----
     

    
    



  • Next message: Dragos Ruiu: "What's "may have exploitable buffer overflows" mean in tcpdump?"

    Relevant Pages