[37690] in bugtraq
Secure Network Operations SNOsoft Research Team [SRT2004-12-14-0322] Symantec LiveUpdate Advisory
daemon@ATHENA.MIT.EDU (Secure Network Operations, Inc.)
Mon Dec 13 18:39:36 2004
Reply-To: <advisory@secnetops.com>
From: "Secure Network Operations, Inc." <advisory@secnetops.com>
To: <bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>
Date: Mon, 13 Dec 2004 16:28:34 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0024_01C4E130.CB1E58E0"
Message-Id: <20041213213212.23F5F4F563@beast.secnetops.com>
This is a multi-part message in MIME format.
------=_NextPart_000_0024_01C4E130.CB1E58E0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Secure Network Operations, Inc.            
http://www.secnetops.com/research
Strategic Reconnaissance Team              
research[at]secnetops[.]com
Team Lead Contact                           JxT[at]secnetops[.]com
Spam Contact                               `rm -rf /`@snosoft.com
Who we are:
**********************************************************************
********
Secure Network Operations provides network security services that
ensure 
safe, reliable and available network data, applications and access.  
Our team of security professionals has successfully secured networks
and 
applications for organizations in both the public and the private
sectors.  
Customers benefit from proprietary analysis tools and processes that
identify 
vulnerabilities and threats, resulting in secure network
architectures.  
Secure Network Operations ensures customers' networks are as secure
as 
possible with Vulnerability Audits, Penetration Tests, Strategic 
Reconnaissance, Forensic Research and Custom Consulting services.  
Customers networks will be secure due to the unique combination of 
experience, proprietary tools and constant security research offered
by
Secure Network Operations.
Quick Summary:
**********************************************************************
********
Advisory Number         : SRT2004-12-14-0322
Product                 : Symantec LiveUpdate
Version                 : Prior to version 2.5
Vendor                  :
http://symantec.com/techsupp/files/lu/lu.html
Class                   : Local
Criticality             : High (to users of the below listed
products)
Products Affected	: Symantec Windows LiveUpdate prior to v2.5
			: Symantec Norton SystemWorks 2001-2005
			: Symantec Norton AntiVirus 2001-2005
			: Symantec Norton AntiVirus Pro 2001-2004
			: Symantec Norton Internet Security 2001-2005
			: Norton Internet Security Pro 2001-2004
			: Symantec Norton AntiSpam 2005
			: Symantec AntiVirus for Handhelds Retail and 
			  Corporate Edition v3.0 Not Affected
			: Symantec Windows LiveUpdate v2.5 and later
			: Symantec Java LiveUpdate (all versions)
			: Symantec Enterprise products (Symantec Enterprise 
                          products do not support the Automatic
LiveUpdate
                          functionality with the exception of
Symantec 
                          AntiVirus for Handhelds Corporate Edition
v3.0)
Operating System(s):  
**********************************************************************
********
	- Win32
Notice:
**********************************************************************
********
The full technical details of this vulnerability can be found at:
http://www.secnetops.com under the research section. 
Basic Explanation:
**********************************************************************
********
High Level Description  : LiveUpdate allows local users to become
SYSTEM
What to do              : run LiveUpdate and apply latest patches. 
Proof Of Concept Status:  
**********************************************************************
********
Functional, Contact SNO for details. 
Short Description:
**********************************************************************
********
Symantec Automatic LiveUpdate, a functionality included with many
Symantec 
retail products as well as on Symantec AntiVirus for Handhelds Corp
v3.0, is 
launched by the system scheduler on system startup and then
periodically after 
startup.  Symantec  LiveUpdate can automatically check for available
updates 
to any supported Symantec products installed on the system using a
scheduled 
task call NetDetect.  
Vulnerable versions of the Symantec Automatic LiveUpdate are
initially 
launched at startup and were being assigned Local System privileges. 
During 
the period when an interactive LiveUpdate session is available, and
only during 
this session, a non-privileged user could potentially manipulate
portions of 
the LiveUpdate GUI Internet options configuration functionality to
gain elevated
privilege on the local host.  For example, the non-privileged user
could gain
privileges to search and edit all system files, assume full
permission for directories 
and files on the host, or create new user accounts on the local
system.
Additional Information:
**********************************************************************
********
If exploited effectively this issue would permit a non-privileged
user to gain 
privileged access on the local host. Symantec has produced a list of 
mitigating circumstances that reduce the risk of exploitation in the
Automatic
LiveUpdate feature. 
Symantec Automatic LiveUpdate is only implemented in retail versions
of 
Symantec products with the exception of Symantec AntiVirus for
Handhelds 
Corporate Edition v3.0. This version uses Symantec Automatic
LiveUpdate to 
check for essential updates when connected to the network. 
The system is vulnerable only when the interactive LiveUpdate
capability is 
activated and configured with the option to notify the user when
updates are 
available. Single user systems are not a the same risk factor as
multi-user 
systems in shared environments. Shared computers in university or
office type
environments with restricted or non-privileged user access are at
high risk.
Vendor Status: 
**********************************************************************
********
Symantec was notified of the vulnerability and fixes are available
via 
LiveUpdate. Secure Network Operations thanks Symantec for being
friendly
and approachable during this advisory research and release process.
BugTraq URL:
**********************************************************************
********
To be assigned. 
CVE candidate : 
**********************************************************************
********
To be assigned
Disclaimer
**********************************************************************
********
This advisory was released by Secure Network Operations,Inc. as a
matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer
released
in our advisories but can be obtained under contract. Contact our
sales 
department at sales[at]secnetops[.]com for further information on how
to 
obtain proof of concept code.
Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."
Regards,  
	Secure Network Operations, Inc.
	SNOsoft Research Team
	http://www.secnetops.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
Comment: http://www.secnetops.com
iQA/AwUBQb4Jgtelv6NS+TQWEQIpugCgvG7dcjbLARzhqUozIHVJN+mJwAIAn2sR
C97CK6HiJSG3p425HIlXw1Mh
=tCLz
-----END PGP SIGNATURE-----
 
------=_NextPart_000_0024_01C4E130.CB1E58E0
Content-Type: text/plain;
	name="SRT2004-12-13-0249.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="SRT2004-12-13-0249.txt"
Secure Network Operations, Inc.             =
http://www.secnetops.com/research
Strategic Reconnaissance Team               research[at]secnetops[.]com
Team Lead Contact                           JxT[at]secnetops[.]com
Spam Contact                               `rm -rf /`@snosoft.com
Who we are:
*************************************************************************=
*****
Secure Network Operations provides network security services that ensure =
safe, reliable and available network data, applications and access. =20
Our team of security professionals has successfully secured networks and =
applications for organizations in both the public and the private =
sectors. =20
Customers benefit from proprietary analysis tools and processes that =
identify=20
vulnerabilities and threats, resulting in secure network architectures.  =
Secure Network Operations ensures customers' networks are as secure as=20
possible with Vulnerability Audits, Penetration Tests, Strategic=20
Reconnaissance, Forensic Research and Custom Consulting services. =20
Customers networks will be secure due to the unique combination of=20
experience, proprietary tools and constant security research offered by
Secure Network Operations.
Quick Summary:
*************************************************************************=
*****
Advisory Number         : SRT2004-12-14-0322
Product                 : Symantec LiveUpdate
Version                 : Prior to version 2.5
Vendor                  : http://symantec.com/techsupp/files/lu/lu.html
Class                   : Local
Criticality             : High (to users of the below listed products)
Products Affected	: Symantec Windows LiveUpdate prior to v2.5
			: Symantec Norton SystemWorks 2001-2005
			: Symantec Norton AntiVirus 2001-2005
			: Symantec Norton AntiVirus Pro 2001-2004
			: Symantec Norton Internet Security 2001-2005
			: Norton Internet Security Pro 2001-2004
			: Symantec Norton AntiSpam 2005
			: Symantec AntiVirus for Handhelds Retail and=20
			  Corporate Edition v3.0 Not Affected
			: Symantec Windows LiveUpdate v2.5 and later
			: Symantec Java LiveUpdate (all versions)
			: Symantec Enterprise products (Symantec Enterprise=20
                          products do not support the Automatic =
LiveUpdate
                          functionality with the exception of Symantec=20
                          AntiVirus for Handhelds Corporate Edition =
v3.0)
Operating System(s): =20
*************************************************************************=
*****
	- Win32
Notice:
*************************************************************************=
*****
The full technical details of this vulnerability can be found at:
http://www.secnetops.com under the research section.=20
Basic Explanation:
*************************************************************************=
*****
High Level Description  : LiveUpdate allows local users to become SYSTEM
What to do              : run LiveUpdate and apply latest patches.=20
Proof Of Concept Status: =20
*************************************************************************=
*****
Functional, Contact SNO for details.=20
Short Description:
*************************************************************************=
*****
Symantec Automatic LiveUpdate, a functionality included with many =
Symantec=20
retail products as well as on Symantec AntiVirus for Handhelds Corp =
v3.0, is=20
launched by the system scheduler on system startup and then periodically =
after=20
startup.  Symantec  LiveUpdate can automatically check for available =
updates=20
to any supported Symantec products installed on the system using a =
scheduled=20
task call NetDetect. =20
Vulnerable versions of the Symantec Automatic LiveUpdate are initially=20
launched at startup and were being assigned Local System privileges.  =
During=20
the period when an interactive LiveUpdate session is available, and only =
during=20
this session, a non-privileged user could potentially manipulate =
portions of=20
the LiveUpdate GUI Internet options configuration functionality to gain =
elevated
privilege on the local host.  For example, the non-privileged user could =
gain
privileges to search and edit all system files, assume full permission =
for directories=20
and files on the host, or create new user accounts on the local system.
Additional Information:
*************************************************************************=
*****
If exploited effectively this issue would permit a non-privileged user =
to gain=20
privileged access on the local host. Symantec has produced a list of=20
mitigating circumstances that reduce the risk of exploitation in the =
Automatic
LiveUpdate feature.=20
Symantec Automatic LiveUpdate is only implemented in retail versions of=20
Symantec products with the exception of Symantec AntiVirus for Handhelds =
Corporate Edition v3.0. This version uses Symantec Automatic LiveUpdate =
to=20
check for essential updates when connected to the network.=20
The system is vulnerable only when the interactive LiveUpdate capability =
is=20
activated and configured with the option to notify the user when updates =
are=20
available. Single user systems are not a the same risk factor as =
multi-user=20
systems in shared environments. Shared computers in university or office =
type
environments with restricted or non-privileged user access are at high =
risk.
Vendor Status:=20
*************************************************************************=
*****
Symantec promptly attended to the issue and was very responsive during =
all=20
phases of discovery / research and patching.=20
Fixes are now available via LiveUpdate.=20
Bugtraq URL:
*************************************************************************=
*****
To be assigned.=20
CVE candidate :=20
*************************************************************************=
*****
To be assigned
Disclaimer
*************************************************************************=
*****
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories but can be obtained under contract. Contact our sales=20
department at sales[at]secnetops[.]com for further information on how to =
obtain proof of concept code.
Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."
------=_NextPart_000_0024_01C4E130.CB1E58E0--