lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050831173545.20796.qmail@securityfocus.com>
Date: 31 Aug 2005 17:35:45 -0000
From: golovast@...il.com
To: bugtraq@...urityfocus.com
Subject: Vulnerability in Symantec Anti Virus Corporate Edition v9.x


The vulnerability has been identified and confirmed in versions 9.0.1.x and 9.0.4.x. I am fairly certain that it exists in all releases of version 9 and possibly other versions as well. 

Essentially, the program can be configured to receive updates via Symantec's or an Internal Live update server. If it is configured to receive updates from an internal server, information such as : server name, IP address, subnet, subnet mask, connection protocol, username and password has to be entered. 

This information gets stored in  "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Settings.LiveUpdate" file and it does store the username and password in an encrypted format. 

The vulnerability shows itself when the server actually gets the updates from the LiveUpdate server. The logging information about the transaction gets written to "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Log.Liveupdate" file. 
In that file, regardless of whether the update was successful or not, username and password that are used to connect to the Internal LiveUpdate server are available in clear text. 

Examples:

8/24/2005, 17:28:14 PM GMT -> Progress Update: DOWNLOAD_SEGMENT_BATCH_START: Downloading segmented file 1124829658jtun_ennluxdb.x86.full.zip (size 12401134) instead of update file http://domain\username:*******@....x.x/1124829658jtun_ennluxdb.x86 (size 18047217) 

8/31/2005, 0:51:43 AM GMT -> Progress Update: DOWNLOAD_SEGMENT_FILE_START: Downloading segment file http://username:******@....x.x/segments/1125123146jtun_ennluxdb.x86.seg1.zip instead of update 1125123146jtun_ennluxdb.x86: file size 3584000

8/31/2005, 0:51:43 AM GMT -> Progress Update: DOWNLOAD_FILE_START: URL: "http://username:******@....x.x/segments/1125123146jtun_ennluxdb.x86.seg1.zip", Estimated Size: 3584000, Destination Folder: "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads"


This can be exploited in a variety of ways. Most obvious is elevation of privileges. Someone can have access with limited permission to login to a server in a low security zone. They will be able to access the log file, since it is located in the "C:\Documents and Settings\All Users\....\.." directory, which is available to all users. A username and password to a service account or a domain account on the Internal LiveUpdate server can be obtained and used to gain access to that server or other servers in a different security zone. 






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ