The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Symantec LiveUpdate Decompression and Directory Names Vulnerabilities
------------------------------------------------------------------------
SUMMARY
Symantec LiveUpdate is an application designed to provides timely updates
for Symantec products. LiveUpdate downloads zip-archived packages,
decompresses them, verifies signatures, and finally installs the updates.
HexView discovered two problems with LiveUpdate: decompression routine
does not check for uncompressed file sizes and no validation is performed
on directory names.
DETAILS
Affected products:
* LiveUpdate versions 1.80.19.0 and 2.5.56.0
After downloading ZIP archive off the website (either legitimate Symantec
website or a spoofed one controlled by attacker) LiveUpdate starts
decompressing a set of files it expects to find in an archive. LiveUpdate
does not perform uncompressed file size validation, so it is possible to
cause an effective DoS by forcing LiveUpdate to decompress an extremely
large file that will consume all available hard drive space. This issue is
known as "ZIP bombing".
LiveUpdate also decompresses a directory tree without validation of
directory names. Directory traversal is possible through ".." meaning that
LiveUpdate can be forced to create a directory anywhere on the current
disk. While LiveUpdate will not overwrite existing files, this issue can
be exploited to mount a DoS attack against applications by creating a
directory using the name of the file that victim application is expected
to create. Once such directory is created, the application will fail to
create the file which will cause unpredictable results.
LiveUpdate 1.80.19 cleans up after itself, but it only deletes files, not
directories. LiveUpdate 2.5.56 does not delete files
when failure occurs.
It is possible to repackage Symantec's legitimate archives so they will be
cleanly processed by LiveUpdate and the fact of attack will not be
noticed.
ADDITIONAL INFORMATION
The information has been provided by <mailto:vuln@hexview.com> HexView.
The original article can be found at:
<http://www.hexview.com/docs/20041104-1.txt>
http://www.hexview.com/docs/20041104-1.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
