作者 Number5 (西瓜不會思考) 看板 Newstand 標題 Symantec 正式承認NAV2003被木馬攻陷 時間 Tue Jan 27 20:14:43 2004 著名防毒軟體公司諾頓(Norton)向媒體正式承認其Norton AntiVirus2003 的LiveUpdate功能出現漏洞，被木馬被感染後會在未經授權下被別人取得 Administrator的許可權，而發作日期為2004年1月7日，故此當人們Live Update時，竟把木馬一同安裝了。 諾頓聲稱只會影響XP/2000/2003版本，而當中了這個木馬後會令右鍵功能 變得緩慢，Office軟體變得緩慢及描毒功能失效。發現這個問題的公司Secure Networrk Operations早於上週二找到此問題，現在諾頓已經提供了一個4MB 的更新程式。 ftp://ftp.symantec.com/public/english_us_canada/liveupdate/lusetup.exe 以下全有可能中 Affected Components Symantec Windows LiveUpdate 1.70.x through 1.90.x Symantec Norton SystemWorks 2001-2004 Symantec Norton AntiVirus and Norton AntiVirus Pro 2001-2004 Symantec Norton Internet Security and Norton Internet Security Pro 2001-2004 Symantec AntiVirus for Handhelds Retail and Corporate Edition v3.0 -- 原文如下 Secure Network Operations, Inc. http://www.secnetops.com/research Strategic Reconnaissance Team research[at]secnetops[.]com Team Lead Contact kf[at]secnetops[.]com Spam Contact `rm -rf /`@snosoft.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. To learn more about our company, products and services or to request a demo of ANVIL FCS please visit our site at http://www.secnetops.com, or call us at: 978-263-3829 Quick Summary: ************************************************************************ Advisory Number : SRT2004-01-09-1022 Product : Symantec LiveUpdate Version : 1.70.x through 1.90.x Vendor : http://symantec.com/techsupp/files/lu/lu.html Class : Local Criticality : High (to users of the below listed products) Products Affected : Symantec LiveUpdate 1.70.x through 1.90.x : Norton SystemWorks 2001-2004 : Norton AntiVirus (and Pro) 2001-2004 : Norton Internet Security (and Pro) 2001-2004 : Symantec AntiVirus for Handhelds v3.0 Operating System(s) : Win32 Notice ************************************************************************ The full technical details of this vulnerability can be found at: http://www.secnetops.com under the research section. Basic Explanation ************************************************************************ High Level Description : LiveUpdate allows local users to become SYSTEM What to do : run LiveUpdate and apply latest patches. Basic Technical Details ************************************************************************ Proof Of Concept Status : SNO has proof of concept. Low Level Description : Symantec, the world leader in Internet security technology, provides a broad range of content and network security software and appliance solutions to individuals, enterprises and service providers. The company is a leading provider of client, gateway and server security solutions for virus protection, firewall and virtual private network, vulnerability management, intrusion detection, Internet content and email filtering, and remote management technologies and security services to enterprises and service providers around the world. Symantec's Norton brand of consumer security products is a leader in worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide operations in 36 countries. Symantec's Norton Internet Security 2004 provides essential protection from viruses, hackers, and privacy threats. During an audit of NIS2004 we uncovered a local privilege escalation issue in LiveUpdate. The issue can allow a local user to gain SYSTEM privileges on NT based Windows machines (this includes 2k3, 2k, and XP). ONLY "consumer/retail products" are prone to this particular attack. Symantec Enterprise products do not support the Automatic LiveUpdate functionality so they are not vulnerable. The final thing to keep in mind that this vulnerability can be highly dependent on the system configuration and environment. While logged in as an underprivileged user a small sliding popup window may appear from the Windows task bar saying "there are Live Updates available, click here to run LiveUpdate". If you click to run LiveUpdate you should notice that LUALL.exe and LUCOMS~1.exe are now running as the user SYSTEM. Click the help button and you will now have a "LiveUpdate Help" window, click File and then Open. Browse to c:\windows\system32 and right click on cmd.exe, click open and you now have a cmd prompt running as SYSTEM. Normally when a user starts Live Update it runs as the user you loged in as. In order for this to be exploitable Symantec Automatic LiveUpdate must be enabled. Please see http://www.secnetops.biz/images/SRT2004-01-09-1022.jpg for an example of exploitation. Vendor Status : Symantec promptly attended to the issue and was very responsive during all phases of discovery / research and patching. Fixes are now available via LiveUpdate. Bugtraq URL : To be assigned. CVE candidate CAN-2003-0994. Disclaimer ---------------------------------------------------------------------- This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories but can be obtained under contract.. Contact our sales department at sales[at]secnetops[.]com for further information on how to obtain proof of concept code. ---------------------------------------------------------------------- Secure Network Operations, Inc. || http://www.secnetops.com "Embracing the future of technology, protecting you." ※ 編輯: WebM7 來自: 140.112.250.171 (05/08 08:19)