Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Vulnerability in Symantec Anti Virus Corporate Edition v9.x

from [golovast] Network Security [Permanent Link]
Subject: Vulnerability in Symantec Anti Virus Corporate Edition v9.x
Date: 31 Aug 2005 17:35:45 -0000 
The vulnerability has been identified and confirmed in versions 9.0.1.x and 
9.0.4.x. I am fairly certain that it exists in all releases of version 9 and 
possibly other versions as well. 

Essentially, the program can be configured to receive updates via Symantec's or 
an Internal Live update server. If it is configured to receive updates from an 
internal server, information such as : server name, IP address, subnet, subnet 
mask, connection protocol, username and password has to be entered. 

This information gets stored in  "C:\Documents and Settings\All 
Users\Application Data\Symantec\LiveUpdate\Settings.LiveUpdate" file and it 
does store the username and password in an encrypted format. 

The vulnerability shows itself when the server actually gets the updates from 
the LiveUpdate server. The logging information about the transaction gets 
written to "C:\Documents and Settings\All Users\Application 
Data\Symantec\LiveUpdate\Log.Liveupdate" file. 
In that file, regardless of whether the update was successful or not, username 
and password that are used to connect to the Internal LiveUpdate server are 
available in clear text. 

Examples:

8/24/2005, 17:28:14 PM GMT -> Progress Update: DOWNLOAD_SEGMENT_BATCH_START: 
Downloading segmented file 1124829658jtun_ennluxdb.x86.full.zip (size 12401134) 
instead of update file 
http://domain\username:*******@x.x.x.x/1124829658jtun_ennluxdb.x86 (size 
18047217) 

8/31/2005, 0:51:43 AM GMT -> Progress Update: DOWNLOAD_SEGMENT_FILE_START: 
Downloading segment file 
http://username:******@x.x.x.x/segments/1125123146jtun_ennluxdb.x86.seg1.zip 
instead of update 1125123146jtun_ennluxdb.x86: file size 3584000

8/31/2005, 0:51:43 AM GMT -> Progress Update: DOWNLOAD_FILE_START: URL: 
"http://username:******@x.x.x.x/segments/1125123146jtun_ennluxdb.x86.seg1.zip";, 
Estimated Size: 3584000, Destination Folder: "C:\Documents and Settings\All 
Users\Application Data\Symantec\LiveUpdate\Downloads"


This can be exploited in a variety of ways. Most obvious is elevation of 
privileges. Someone can have access with limited permission to login to a 
server in a low security zone. They will be able to access the log file, since 
it is located in the "C:\Documents and Settings\All Users\....\.." directory, 
which is available to all users. A username and password to a service account 
or a domain account on the Internal LiveUpdate server can be obtained and used 
to gain access to that server or other servers in a different security zone.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Vulnerability in Symantec Anti Virus Corporate Edition v9.x, golovast <=
Previous by Date:  CMS Made Simple <= 0.10 - PHP injection, groszynskif
Next by Date:  Ariba password exposure vulnerability, gerald626
Previous by Thread:  CMS Made Simple <= 0.10 - PHP injection, groszynskif
Next by Thread:  Ariba password exposure vulnerability, gerald626
Indexes:  [Date] [Thread] [Top] [All Lists]