作者 Number5 (西瓜不会思考) 看板 Newstand 标题 Symantec 正式承认NAV2003被木马攻陷 时间 Tue Jan 27 20:14:43 2004 着名防毒软体公司诺顿(Norton)向媒体正式承认其Norton AntiVirus2003 的LiveUpdate功能出现漏洞，被木马被感染後会在未经授权下被别人取得 Administrator的许可权，而发作日期为2004年1月7日，故此当人们Live Update时，竟把木马一同安装了。 诺顿声称只会影响XP/2000/2003版本，而当中了这个木马後会令右键功能 变得缓慢，Office软体变得缓慢及描毒功能失效。发现这个问题的公司Secure Networrk Operations早於上周二找到此问题，现在诺顿已经提供了一个4MB 的更新程式。 ftp://ftp.symantec.com/public/english_us_canada/liveupdate/lusetup.exe 以下全有可能中 Affected Components Symantec Windows LiveUpdate 1.70.x through 1.90.x Symantec Norton SystemWorks 2001-2004 Symantec Norton AntiVirus and Norton AntiVirus Pro 2001-2004 Symantec Norton Internet Security and Norton Internet Security Pro 2001-2004 Symantec AntiVirus for Handhelds Retail and Corporate Edition v3.0 -- 原文如下 Secure Network Operations, Inc. http://www.secnetops.com/research Strategic Reconnaissance Team research[at]secnetops[.]com Team Lead Contact kf[at]secnetops[.]com Spam Contact `rm -rf /`@snosoft.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. To learn more about our company, products and services or to request a demo of ANVIL FCS please visit our site at http://www.secnetops.com, or call us at: 978-263-3829 Quick Summary: ************************************************************************ Advisory Number : SRT2004-01-09-1022 Product : Symantec LiveUpdate Version : 1.70.x through 1.90.x Vendor : http://symantec.com/techsupp/files/lu/lu.html Class : Local Criticality : High (to users of the below listed products) Products Affected : Symantec LiveUpdate 1.70.x through 1.90.x : Norton SystemWorks 2001-2004 : Norton AntiVirus (and Pro) 2001-2004 : Norton Internet Security (and Pro) 2001-2004 : Symantec AntiVirus for Handhelds v3.0 Operating System(s) : Win32 Notice ************************************************************************ The full technical details of this vulnerability can be found at: http://www.secnetops.com under the research section. Basic Explanation ************************************************************************ High Level Description : LiveUpdate allows local users to become SYSTEM What to do : run LiveUpdate and apply latest patches. Basic Technical Details ************************************************************************ Proof Of Concept Status : SNO has proof of concept. Low Level Description : Symantec, the world leader in Internet security technology, provides a broad range of content and network security software and appliance solutions to individuals, enterprises and service providers. The company is a leading provider of client, gateway and server security solutions for virus protection, firewall and virtual private network, vulnerability management, intrusion detection, Internet content and email filtering, and remote management technologies and security services to enterprises and service providers around the world. Symantec's Norton brand of consumer security products is a leader in worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide operations in 36 countries. Symantec's Norton Internet Security 2004 provides essential protection from viruses, hackers, and privacy threats. During an audit of NIS2004 we uncovered a local privilege escalation issue in LiveUpdate. The issue can allow a local user to gain SYSTEM privileges on NT based Windows machines (this includes 2k3, 2k, and XP). ONLY "consumer/retail products" are prone to this particular attack. Symantec Enterprise products do not support the Automatic LiveUpdate functionality so they are not vulnerable. The final thing to keep in mind that this vulnerability can be highly dependent on the system configuration and environment. While logged in as an underprivileged user a small sliding popup window may appear from the Windows task bar saying "there are Live Updates available, click here to run LiveUpdate". If you click to run LiveUpdate you should notice that LUALL.exe and LUCOMS~1.exe are now running as the user SYSTEM. Click the help button and you will now have a "LiveUpdate Help" window, click File and then Open. Browse to c:\windows\system32 and right click on cmd.exe, click open and you now have a cmd prompt running as SYSTEM. Normally when a user starts Live Update it runs as the user you loged in as. In order for this to be exploitable Symantec Automatic LiveUpdate must be enabled. Please see http://www.secnetops.biz/images/SRT2004-01-09-1022.jpg for an example of exploitation. Vendor Status : Symantec promptly attended to the issue and was very responsive during all phases of discovery / research and patching. Fixes are now available via LiveUpdate. Bugtraq URL : To be assigned. CVE candidate CAN-2003-0994. Disclaimer ---------------------------------------------------------------------- This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories but can be obtained under contract.. Contact our sales department at sales[at]secnetops[.]com for further information on how to obtain proof of concept code. ---------------------------------------------------------------------- Secure Network Operations, Inc. || http://www.secnetops.com "Embracing the future of technology, protecting you." ※ 编辑: WebM7 来自: 140.112.250.171 (05/08 08:19)