Symantec LiveUpdate Decompression and Directory Names Vulnerabilities
17 Nov. 2004
Summary
Symantec LiveUpdate is an application designed to provides timely updates for Symantec products. LiveUpdate downloads zip-archived packages, decompresses them, verifies signatures, and finally installs the updates. HexView discovered two problems with LiveUpdate: decompression routine does not check for uncompressed file sizes and no validation is performed on directory names.
Affected products:
* LiveUpdate versions 1.80.19.0 and 2.5.56.0
After downloading ZIP archive off the website (either legitimate Symantec website or a spoofed one controlled by attacker) LiveUpdate starts decompressing a set of files it expects to find in an archive. LiveUpdate does not perform uncompressed file size validation, so it is possible to cause an effective DoS by forcing LiveUpdate to decompress an extremely large file that will consume all available hard drive space. This issue is known as "ZIP bombing".
LiveUpdate also decompresses a directory tree without validation of directory names. Directory traversal is possible through ".." meaning that LiveUpdate can be forced to create a directory anywhere on the current disk. While LiveUpdate will not overwrite existing files, this issue can be exploited to mount a DoS attack against applications by creating a directory using the name of the file that victim application is expected to create. Once such directory is created, the application will fail to create the file which will cause unpredictable results.
LiveUpdate 1.80.19 cleans up after itself, but it only deletes files, not directories. LiveUpdate 2.5.56 does not delete files
when failure occurs.
It is possible to repackage Symantec's legitimate archives so they will be cleanly processed by LiveUpdate and the fact of attack will not be noticed.
