SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Security)  >  Symantec Anti Virus Vendors:  Symantec
Symantec Anti Virus Internal LiveUpdate Feature Discloses Passwords to Local Users
SecurityTracker Alert ID:  1014834
SecurityTracker URL:  http://securitytracker.com/id?1014834
CVE Reference:  CAN-2005-2766   (Links to External Site)
Updated:  Sep 3 2005
Original Entry Date:  Sep 1 2005
Impact:  Disclosure of authentication information, User access via network
Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): 9.0.1.x and 9.0.4.x; (LiveUpdate 2.7)
Description:  A vulnerability was reported in Symantec Anti Virus Corporate Edition. A local user can obtain usernames and passwords.

When the system is configured to use an internal LiveUpdate server (instead of Symantec's LiveUpdate server), the system will log server information to a local file. This information includes the username and password required to access the LiveUpdate server.

The log file is 'C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Log.Liveupdate'.

A local user can view the log file to obtain the username and password.

LiveUpdate 2.7 is affected. Versions 2.5 and 2.6 are not affected.

golovast at gmail.com reported this vulnerability.
Impact:  A local user can obtain the username and password to access the LiveUpdate server.
Solution:  The vendor has issued a fix for the affected LiveUpdate 2.7 client, available at:

http://www.symantec.com/techsupp/files/lu/lu.html
Vendor URL:  www.symantec.com/ (Links to External Site)
Cause:  Access control error
Underlying OS:  Windows (Any)
Reported By:  golovast@gmail.com
Message History:   None.

 Source Message Contents
Date:  31 Aug 2005 17:35:45 -0000
From:  golovast@gmail.com
Subject:  Vulnerability in Symantec Anti Virus Corporate Edition v9.x

 
The vulnerability has been identified and confirmed in versions 9.0.1.x and 9.0.4.x. I am fairly cert
ain that it exists in all releases
 of version 9 and possibly other versions as well. 

Essentially, the program can be configured to receive updates via Symantec's or an Internal Live upda
te server. If it is configured
 to receive updates from an internal server, information such as : server name, IP address, subnet, s
ubnet mask, connection protocol,
 username and password has to be entered. 

This information gets stored in  "C:\Documents and Settings\All Users\Application Data\Symantec\
LiveUpdate\Settings.LiveUpdate" file
 and it does store the username and password in an encrypted format. 

The vulnerability shows itself when the server actually gets the updates from the LiveUpdate server. 
The logging information about
 the transaction gets written to "C:\Documents and Settings\All Users\Application Data\Symantec\
LiveUpdate\Log.Liveupdate" file. 
In that file, regardless of whether the update was successful or not, username and password that are 
used to connect to the Internal
 LiveUpdate server are available in clear text. 

Examples:

8/24/2005, 17:28:14 PM GMT -> Progress Update: DOWNLOAD_SEGMENT_BATCH_START: Downloading segmented
 file 1124829658jtun_ennluxdb.x86.full.zip
 (size 12401134) instead of update file http://domain\username:*******@x.x.x.x/1124829658jtun_ennluxd
b.x86 (size 18047217) 

8/31/2005, 0:51:43 AM GMT -> Progress Update: DOWNLOAD_SEGMENT_FILE_START: Downloading segment fil
e http://username:******@x.x.x.x/segments/1125123146jtun_ennluxdb.x86.seg1.zip
 instead of update 1125123146jtun_ennluxdb.x86: file size 3584000

8/31/2005, 0:51:43 AM GMT -> Progress Update: DOWNLOAD_FILE_START: URL: "http://username:****
**@x.x.x.x/segments/1125123146jtun_ennluxdb.x86.seg1.zip",
 Estimated Size: 3584000, Destination Folder: "C:\Documents and Settings\All Users\Application D
ata\Symantec\LiveUpdate\Downloads"


This can be exploited in a variety of ways. Most obvious is elevation of privileges. Someone can have
 access with limited permission
 to login to a server in a low security zone. They will be able to access the log file, since it is l
ocated in the "C:\Documents and
 Settings\All Users\....\.." directory, which is available to all users. A username and password
 to a service account or a domain
 account on the Internal LiveUpdate server can be obtained and used to gain access to that server or 
other servers in a different
 security zone.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC