Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] Symantec LiveUpdate Administrator Installation Directory Permission Weakness Local Privilege Escalation

High

Synopsis

Symantec LiveUpdate Administrator contains a flaw that may allow an attacker to gain access to unauthorized privileges. A weakness in the installation directory (C:\Program Files\Symantec\LiveUpdate Adminstrator) permissions may allow a local attacker to escalate privileges. By placing a specially crafted JSP file in the directory and then requesting it via HTTP, the JSP will be executed with SYSTEM privileges.

In addition to placing a JSP file in the directory, a local attacker could edit tomcat/webapps/clu-test/WEB-INF/classes/clu.properties to change the CLU_DIR variable, allowing them to read files remotely via GET requests to the HttpPutServlet servlet, or edit tomcat/conf/tomcat-users.xml to add a new user to the "lua-clu-role" which would allow them to remotely overwrite files via PUT requests to the same servlet.

Solution

The original solution provided by Symantec (upgrade to 2.3.1) tightened up permissions of some directories, but not the root installation directory. There are files in that directory that run with SYSTEM privileges that can be used to gain elevated privileges. Symantec subsequently released 2.3.2 to fix that issue.

Disclosure Timeline

2011-03-29 - Report sent to [email protected]
2011-03-29 - Symantec confirms receipt
2011-06-15 - Symantec publishes Advisory advising upgrade to 2.3.1
2011-09-10 - Symantec releases 2.3.2 fully resolving the issue

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]