|
Brought to you by:
Suppliers of:
|
|
|
| |
| Symantec LiveUpdate is an application designed to provides timely updates for Symantec products. LiveUpdate downloads zip-archived packages, decompresses them, verifies signatures, and finally installs the updates. HexView discovered two problems with LiveUpdate: decompression routine does not check for uncompressed file sizes and no validation is performed on directory names. |
| |
Credit:
The information has been provided by HexView.
The original article can be found at: http://www.hexview.com/docs/20041104-1.txt
|
| |
Affected products:
* LiveUpdate versions 1.80.19.0 and 2.5.56.0
After downloading ZIP archive off the website (either legitimate Symantec website or a spoofed one controlled by attacker) LiveUpdate starts decompressing a set of files it expects to find in an archive. LiveUpdate does not perform uncompressed file size validation, so it is possible to cause an effective DoS by forcing LiveUpdate to decompress an extremely large file that will consume all available hard drive space. This issue is known as "ZIP bombing".
LiveUpdate also decompresses a directory tree without validation of directory names. Directory traversal is possible through ".." meaning that LiveUpdate can be forced to create a directory anywhere on the current disk. While LiveUpdate will not overwrite existing files, this issue can be exploited to mount a DoS attack against applications by creating a directory using the name of the file that victim application is expected to create. Once such directory is created, the application will fail to create the file which will cause unpredictable results.
LiveUpdate 1.80.19 cleans up after itself, but it only deletes files, not directories. LiveUpdate 2.5.56 does not delete files
when failure occurs.
It is possible to repackage Symantec's legitimate archives so they will be cleanly processed by LiveUpdate and the fact of attack will not be noticed.
|
| Subject:
|
Critical System error! |
Date: |
21 Oct. 2006 |
| From: |
Fionnuala_labhaoise |
| Ok, here's the problem, in my toolbar thing at the bottom of my desktop there is a yellow question mark which turns into a blue cirlce with a yellow cross in it every second, and now and again it pops up a speech bubble sayin that my computer has detected viruses..etc, and i just wanted to know where this came from?? is it anything to do with LiveUpdate 8.0? and why is it there?? pleeeez help!!!! thanx (in advance) |
|
|
|
|
|
|
