Secure Network Operations, Inc. http://www.secnetops.com/research Strategic Reconnaissance Team research[at]secnetops[.]com Team Lead Contact JxT[at]secnetops[.]com Spam Contact `rm -rf /`@snosoft.com Who we are: ****************************************************************************** Secure Network Operations provides network security services that ensure safe, reliable and available network data, applications and access. Our team of security professionals has successfully secured networks and applications for organizations in both the public and the private sectors. Customers benefit from proprietary analysis tools and processes that identify vulnerabilities and threats, resulting in secure network architectures. Secure Network Operations ensures customers' networks are as secure as possible with Vulnerability Audits, Penetration Tests, Strategic Reconnaissance, Forensic Research and Custom Consulting services. Customers networks will be secure due to the unique combination of experience, proprietary tools and constant security research offered by Secure Network Operations. Quick Summary: ****************************************************************************** Advisory Number : SRT2004-12-14-0322 Product : Symantec LiveUpdate Version : Prior to version 2.5 Vendor : http://symantec.com/techsupp/files/lu/lu.html Class : Local Criticality : High (to users of the below listed products) Products Affected : Symantec Windows LiveUpdate prior to v2.5 : Symantec Norton SystemWorks 2001-2005 : Symantec Norton AntiVirus 2001-2005 : Symantec Norton AntiVirus Pro 2001-2004 : Symantec Norton Internet Security 2001-2005 : Norton Internet Security Pro 2001-2004 : Symantec Norton AntiSpam 2005 : Symantec AntiVirus for Handhelds Retail and Corporate Edition v3.0 Not Affected : Symantec Windows LiveUpdate v2.5 and later : Symantec Java LiveUpdate (all versions) : Symantec Enterprise products (Symantec Enterprise products do not support the Automatic LiveUpdate functionality with the exception of Symantec AntiVirus for Handhelds Corporate Edition v3.0) Operating System(s): ****************************************************************************** - Win32 Notice: ****************************************************************************** The full technical details of this vulnerability can be found at: http://www.secnetops.com under the research section. Basic Explanation: ****************************************************************************** High Level Description : LiveUpdate allows local users to become SYSTEM What to do : run LiveUpdate and apply latest patches. Proof Of Concept Status: ****************************************************************************** Functional, Contact SNO for details. Short Description: ****************************************************************************** Symantec Automatic LiveUpdate, a functionality included with many Symantec retail products as well as on Symantec AntiVirus for Handhelds Corp v3.0, is launched by the system scheduler on system startup and then periodically after startup. Symantec LiveUpdate can automatically check for available updates to any supported Symantec products installed on the system using a scheduled task call NetDetect. Vulnerable versions of the Symantec Automatic LiveUpdate are initially launched at startup and were being assigned Local System privileges. During the period when an interactive LiveUpdate session is available, and only during this session, a non-privileged user could potentially manipulate portions of the LiveUpdate GUI Internet options configuration functionality to gain elevated privilege on the local host. For example, the non-privileged user could gain privileges to search and edit all system files, assume full permission for directories and files on the host, or create new user accounts on the local system. Additional Information: ****************************************************************************** If exploited effectively this issue would permit a non-privileged user to gain privileged access on the local host. Symantec has produced a list of mitigating circumstances that reduce the risk of exploitation in the Automatic LiveUpdate feature. Symantec Automatic LiveUpdate is only implemented in retail versions of Symantec products with the exception of Symantec AntiVirus for Handhelds Corporate Edition v3.0. This version uses Symantec Automatic LiveUpdate to check for essential updates when connected to the network. The system is vulnerable only when the interactive LiveUpdate capability is activated and configured with the option to notify the user when updates are available. Single user systems are not a the same risk factor as multi-user systems in shared environments. Shared computers in university or office type environments with restricted or non-privileged user access are at high risk. Vendor Status: ****************************************************************************** Symantec promptly attended to the issue and was very responsive during all phases of discovery / research and patching. Fixes are now available via LiveUpdate. Bugtraq URL: ****************************************************************************** To be assigned. CVE candidate : ****************************************************************************** To be assigned Disclaimer ****************************************************************************** This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories but can be obtained under contract. Contact our sales department at sales[at]secnetops[.]com for further information on how to obtain proof of concept code. Secure Network Operations, Inc. || http://www.secnetops.com "Embracing the future of technology, protecting you."