[24488] in bugtraq
RE: Symantec LiveUpdate
daemon@ATHENA.MIT.EDU (Steven Vallarian)
Fri Mar 1 05:32:26 2002
Message-ID: <94254A6781D9D511AA4F002035FF31C2375364@inet1.csa1.com>
From: Steven Vallarian <svallarian@csa1.com>
To: bugtraq@securityfocus.com, Javier Sanchez <jsanchez157@hotmail.com>
Date: Wed, 27 Feb 2002 09:52:37 -0600
MIME-Version: 1.0
Content-Type: text/plain
In the same key, there is a REG_DWORD called PasswordIsEncrypted, that is
set to 0.
I figure that this key is used to tell Liveupdate to decrypt the encrypted
password in the password key, but I haven't been able to find out how to get
LiveUpdate to encrypt the password when it sets it.
Steven V>
> ----------
> From: Javier Sanchez[SMTP:jsanchez157@hotmail.com]
> Sent: Monday, February 25, 2002 11:14 AM
> To: bugtraq@securityfocus.com
> Subject: Symantec LiveUpdate
>
> Norton Antivirus Corporate Edition includes LiveUpdate. LiveUpdate stores
>
> Username and Password information in cleartext in the registry. Depending
>
> on your implementation, you may not need LiveUpdate installed at all on
> your
> clients.
>
> I brought this to Symantec's attention months ago. Since then a new
> version
> of LiveUpdate has been released. The information is still not encrypted.
>
> Any user with the client installed can run "regedit" search for "password"
>
> and viola!
>
> Here's a "fix":
> Paste the following into a .reg file (i.e. nav.reg) and push it out to
> your
> clients via login script or whatever:
> REGEDIT4
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Li
> veUpdateSource]
> "Login"=-
> "Password"=-
>
>
>
>
>
> _________________________________________________________________
> Chat with friends online, try MSN Messenger: http://messenger.msn.com
>
>
