NSOADV-2011-001: Symantec LiveUpdate Administrator CSRF vulnerability

2011-03-23T00:00:00
ID SECURITYVULNS:DOC:25971
Type securityvulns
Reporter Securityvulns
Modified 2011-03-23T00:00:00

Description


NSOADV-2011-001: Symantec LiveUpdate Administrator CSRF vulnerability



                           111101111
                    11111 00110 00110001111
               111111 01 01 1 11111011111111
            11111  0 11 01 0 11 1 1  111011001
         11111111101 1 11 0110111  1    1111101111
       1001  0 1 10 11 0 10 11 1111111  1 111 111001
     111111111 0 10 1111 0 11 11 111111111 1 1101 10
    00111 0 0 11 00 0 1110 1 1011111111111 1111111 11  100
   10111111 0 01 0  1 1 111110 11 1111111111111  11110000011
   0111111110 0110 1110 1 0 11101111111111111011 11100  00
   01111 0 10 1110 1 011111 1 111111111111111111111101 01
   01110 0 10 111110 110 0 11101111111111111111101111101
  111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
  111110110 10 0111110 1 0 0 1111111111111111111111111 110
111 11111 1  1 111 1   10011 101111111111011111111 0   1100

111 10 110 101011110010 11111111111111111111111 11 0011100 11 10 001100 0001 111111111111111111 10 11 11110 11110 00100 00001 10 1 1111 101010001 11111111 11101 0 1011 10000 00100 11100 00001101 0 0110 111011011 0110 10001 101 11110 1011 1 10 101 000001 01 00 1010 1 11001 1 1 101 10 110101011 0 101 11110 110000011 111



Title: Symantec LiveUpdate Administrator CSRF vulnerability Severity: Medium Advisory ID: NSOADV-2011-001 Found Date: 14.07.2010 Date Reported: 17.01.2011 Release Date: 22.03.2011 Author: Nikolas Sotiriu Mail: nso-research at sotiriu.de Website: http://sotiriu.de/ Twitter: http://twitter.com/nsoresearch Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-001.txt Vendor: Symantec (http://www.symantec.com/) Affected Products: Symantec LiveUpdate Administrator <= 2.2.2.9 Remote Exploitable: Yes Local Exploitable: No CVE-ID: CVE-2011-0545 Patch Status: Vendor released an patch Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy

Background:

The Symantec LiveUpdate Administrator is an enterprise Web application that allows you to manage Symantec updates on multiple internal Central LiveUpdate servers, called Distribution Centers. Using the Symantec LiveUpdate Administrator, you download updates to the Manage Updates folder, and then publish the updates to production distribution servers for LiveUpdate clients to download, or to testing distribution centers, so that the updates can be tested before they are published to production.

You can download and publish updates on schedule, allowing you to create a low maintenance, reliable system that can be set up once, and then run automatically. Updates can also be manually downloaded and published as needed.

(Product description from LUA Admin Guide)

Description:

The webfrontend do not properly sanitize some variables before being returned to the user.

If an attacker supplies a username, containing script code, at the login-page of the service, an entry in the Event Log is done, containing the "user name".

If the admin user is viewing the logfile, the script code will be executed.

This can be exploited to execute arbitrary HTML and script code in a admin's browser session in context of the Web Administrator frontend.

If an attacker passes a user name like

<iframe src=http://attacker/evil.html>

in the username field he can execute CSRF attacks against the Webfrontend to change the settings.

The Proof of Concept code addes an admin account or executes an alert box.

Proof of Concept :

  • attached *

Solution:

Update to Version 2.3

Symantec Security Advisory: http://tinyurl.com/4oox6hy

Disclosure Timeline (YYYY/MM/DD):

2010.07.14: Vulnerability found 2011.01.17: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2011.02.04) to Vendor 2011.01.17: Vendor response 2011.01.20: Symantec product team verifies the finding 2011.02.03: Ask for a status update 2011.02.03: Symantec Security Response Team informs me that the update is planned for early to mid-March. 2011.02.03: Changed release date to 2011.03.10. 2011.03.03: Symantec Security Response Team informs me that the update is planned for 2011.03.17. 2011.03.17: Symantec Security Response Team informs me that the update QA needs a bit more time. 2011.03.21: Update and Security Advisory release. 2011.03.22: Release of this Advisory