Spyware, Viruses, & Security forum

General discussion

Vulnerabilities December 14, 2004

by roddy32 / December 13, 2004 9:56 PM PST

TITLE:
Symantec Windows LiveUpdate NetDetect Privilege Escalation

SECUNIA ADVISORY ID:
SA13445

VERIFY ADVISORY:
http://secunia.com/advisories/13445/

CRITICAL:
Less critical

IMPACT:
Privilege escalation

WHERE:
Local system

SOFTWARE:
Norton AntiVirus 2002
http://secunia.com/product/846/
Norton AntiVirus 2001
http://secunia.com/product/221/
Norton Internet Security 2001
http://secunia.com/product/2802/
Norton Internet Security 2002
http://secunia.com/product/2801/
Norton Internet Security 2003
http://secunia.com/product/969/
Norton Internet Security 2003 Professional
http://secunia.com/product/970/
Norton Internet Security 2004
http://secunia.com/product/2441/
Norton Internet Security 2004 Professional
http://secunia.com/product/2442/
Norton SystemWorks 2001
http://secunia.com/product/2799/
Norton SystemWorks 2002
http://secunia.com/product/2798/
Norton SystemWorks 2003
http://secunia.com/product/2797/
Norton SystemWorks 2004
http://secunia.com/product/2796/
Symantec AntiVirus for Handhelds 3.x
http://secunia.com/product/2803/
Symantec Norton AntiVirus 2003
http://secunia.com/product/175/
Symantec Norton AntiVirus 2004
http://secunia.com/product/2800/
Symantec Windows LiveUpdate 1.x
http://secunia.com/product/2794/
Symantec Windows LiveUpdate 2.x
http://secunia.com/product/2795/

DESCRIPTION:
Secure Network Operations has reported a vulnerability in Symantec
Windows LiveUpdate, which can be exploited by malicious, local users
to gain escalated privileges.

The vulnerability is caused due to Symantec Automatic LiveUpdate
allowing manipulation of certain Internet options with SYSTEM
privileges. This can be exploited via the LiveUpdate GUI during an
interactive LiveUpdate session when running the scheduled "NetDetect"
task.

Successful exploitation allows execution of arbitrary commands with
escalated privileges.

The vulnerability has been reported in LiveUpdate prior to version
2.5.

The following products include LiveUpdate and are affected:
Symantec Norton SystemWorks 2001-2004
Symantec Norton AntiVirus and Pro 2001-2004
Symantec Norton Internet Security and Pro 2001-2004
Symantec AntiVirus for Handhelds Retail and Corporate Edition v3.0

SOLUTION:
Update to Symantec Windows LiveUpdate version 2.5.

This is available via the LiveUpdate functionality or at:
http://www.symantec.com/techsupp/files/lu/lu.html

PROVIDED AND/OR DISCOVERED BY:
Secure Network Operations

ORIGINAL ADVISORY:
Symantec:
http://www.sarc.com/avcenter/security/Content/2004.12.13a.html

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.


An added note here. The newest version is actually 2.6 not 2.5 as noted in this report from Secunia. The link they supply DOES take you to 2.6. This is the update that most of us regulars in this forum already did 2 or 3 weeks ago when Donna reported that it was available. The easiest way to check your version is to bring up the Norton Utility, click on the Live Update button, when that window comes up, click on the topleft side where it says options/about. A small window will popup and tell you which version you have. You WILL have to reboot after updating.

Discussion is locked
You are posting a reply to: Vulnerabilities December 14, 2004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Vulnerabilities December 14, 2004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Kerio MailServer / ServerFirewall Potential User Password Di
by Marianna Schmudlach / December 13, 2004 11:15 PM PST

CRITICAL:
Less critical

IMPACT:
Exposure of sensitive information

WHERE:
Local system

SOFTWARE:
Kerio ServerFirewall 1.x
http://secunia.com/product/4378/
Kerio MailServer 5.x
http://secunia.com/product/1725/
Kerio MailServer 6.x
http://secunia.com/product/3782/

DESCRIPTION:
Javier Munoz has reported a security issue in Kerio MailServer and
Kerio ServerFirewall, which potentially can be exploited by
malicious, local users to gain knowledge of sensitive information.

The problem is that user passwords are stored in the user credential
database using symmetric encryption. This may allow malicious users
with access to the database to gain knowledge of the passwords by
decrypting them using a key hidden in the program logic.

NOTE: A problem with insecure ACLs has also been reported.

SOLUTION:
Update to Kerio MailServer 6.0.5 and Kerio ServerFirewall 1.0.1.

http://secunia.com/advisories/13460/

Collapse -
Opera Default 'kfmclient exec' Configuration May Let Remote
by Donna Buenaventura / December 13, 2004 11:36 PM PST

Users Execute Arbitrary Commands

Date: Dec 13 2004
Impact: Execution of arbitrary code via network, User access via network
Exploit Included: Yes
Advisory: Zone-H
Version(s): Tested on Opera 7.54 on Linux with KDE 3.2.3
Description: A vulnerability was reported in Opera when using KDE. A remote user may be able to cause the target user to execute arbitrary commands.

Giovanni Delvecchio of Zone-h reported that KDE uses 'kfmclient exec' as the default application for processing saved files. A remote user can cause arbitrary shell commands to be executed on the target system.

For example, a remote server can supply 'image.Jpg' with an unknown Content-Type field, causing Opera to display a dialog box for the file. If the target user selects 'Open' to view the supposed image file, the file will be opened using 'kfmclient exec'. If 'image.Jpg' is a KDE desktop entry, then the target user's system will execute the command in the 'Exec' entry.

The original advisory is available at: http://www.zone-h.org/advisories/read/id=6503

Impact: A remote user may be able to cause arbitrary commands to be executed on the target user's system with some user interaction.

Solution: No vendor solution was available at the time of this entry.

The report indicates that as a workaround, you can disable 'kfmclient exec' as the default application.

http://securitytracker.com/alerts/2004/Dec/1012491.html

Collapse -
Updated: Anti-virus software may not properly scan malformed
by Donna Buenaventura / December 13, 2004 11:58 PM PST

archives

Overview
Anti-virus software may rely on corrupted headers to determine if a zip archive is valid. As a result, anti-virus software may fail to detect malicious content within a zip archive.

I. Description

Information about a zip archive, such as the size of the compressed data, is placed in headers within the archive. An attacker may be able to modify these headers to indicate that an archive contains files with sizes/lengths of zero. If anti-virus software relies on zip archive headers to determine archive validity, the anti-virus software may incorrectly interpret an archive with maliciously modified headers to contain zero-length files. Consequently, the anti-virus would fail to detect the malicious content and allow the archive into the system.

Please note that a user may still have to extract the contents of the malicious archive to trigger exploitation.

II. Impact

A remote attacker may be able to craft a malicious zip archive that will evade detection by anti-virus software. Once in the system, if the remote attacker can persuade the user to accesses the malicious archive, the attacker may be able to execute arbitrary code on that user's system.

III. Solution

Consult Anti-Virus Vendors

Users are encouraged to contact their anti-virus vendors to determine if they are vulnerable and what corrective actions to take.

Systems Affected

Vendor Status Date Updated
AKS Unknown 9-Dec-2004
Check Point Unknown 9-Dec-2004
CommandCom Unknown 9-Dec-2004
Computer Associates Unknown 9-Dec-2004
CPAN Unknown 9-Dec-2004
CyberSoft Unknown 9-Dec-2004
eset Antivirus Unknown 9-Dec-2004
F-Secure Unknown 9-Dec-2004
Finjan Software Unknown 9-Dec-2004
Fortinet Unknown 9-Dec-2004
Kapersky Unknown 9-Dec-2004
McAfee Unknown 9-Dec-2004
MessageLabs Unknown 9-Dec-2004
RAV Unknown 9-Dec-2004
Sophos Unknown 9-Dec-2004
Symantec Corporation Unknown 10-Dec-2004

Date Public 10/18/2004
Date First Published 12/10/2004 01:06:25 PM
Date Last Updated 12/13/2004

http://www.kb.cert.org/vuls/id/968818

Collapse -
Cyber Security Bulletin SB04-343
by Donna Buenaventura / December 14, 2004 12:09 AM PST

Summary of Security Items from December 1 through December 7, 2004

This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to items appearing in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.

Bugs, Holes, & Patches

Windows Operating Systems:

Alt-N MDaemon Privilege Escalation (Updated)
Burut Kreed Game Server Multiple Remote Vulnerabilities
Cisco CNS Network Registrar DNS & DHCP Server Remote Denial of Service
Computer Associates Unicenter Remote Control Remote Authentication Bypass
David Harris Mercury Mail Multiple Remote IMAP Stack Buffer Overflows
GlobalScape CuteFTP Multiple Command Response Buffer Overflow
Headlight Software Inc. GetRight 'DUNZIP32.DLL' Buffer Overflow
Hosting Controller 'Statsbrowse.asp' & 'Generalbrowse.asp' Information Disclosure
IBEX Software Remote Execute Denial of Service
IpSwitch WS_FTP Buffer Overflow (Updated)
Microsoft Windows Resource Kit 'w3who.dll' Buffer Overflow & Input Validation
Microsoft Server Spoofing (Updated)
Microsoft Internet Explorer FTP URL Processing Input Validation
Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow (Updated)
Microsoft Internet Explorer Drag & Drop
Microsoft Internet Explorer Security Update (Updated)
Microsoft Windows WINS Buffer Overflow
Thomas Hauck JanaServer 2 Multiple Remote Denial of Service

UNIX / Linux Operating Systems:

Apache mod_ssl Denial of Service (Updated)
Apache mod_ssl Remote Denial of Service (Updated)
Apache Mod_Proxy Remote Buffer Overflow (Updated)
Apple Apache File Handlers Bypass & Directly Access Files
Apple Apache on Apple HFS+ '.DS Store' Files Disclosure
Apple AppKit Secure Input
Apple Cyrus IMAP Server Remote Mailbox Access
Apple Apache mod_digest_apple Authentication Credentials Replay
Apple QuickTime Streaming Server Remote Denial of Service
Apple HIToolbox Kiosk Mode Application Quit
Apple Postfix CRAM-MD5 Replay Attack
Apple PSNormalizer Buffer Overflow
Apple Terminal Incorrect 'Secure Keyboard Entry' Status
Caolan McNamara & Dom Lachowicz wvWare Library Buffer Overflow
Carsten Haitzler Imlib Image Decoding Integer Overflow
Debian hpsockd Buffer Overflow
Dom Lachowicz AbiWord "wv" Library Buffer Overflow (Updated)
Downhill Battle Blog Torrent 'btdownload.php' Input Validation
Federico D. Sacerdoti Ansel "image" SQL Injection & Script Insertion
FreeBSD Kernel Memory Disclosure
GD Graphics Library Remote Integer Overflow (Updated)
Gentoo mirrorselect Insecure Temporary File Creation
Gentoo PDFlib Buffer Overflow
Gentoo Perl Privilege Escalation
Global Moxie Big Medium Remote Script Code Execution
IBM AIX Unspecified System Startup Scripts
ImageMagick Remote EXIF Parsing Buffer Overflow (Updated)
KDE Konqueror Input Validation
LibTIFF Buffer Overflows (Updated)
Multiple Vendors Apache Web Server Remote IPv6 Buffer Overflow (Updated)
Multiple Vendors Cyrus IMAPD Multiple Remote Vulnerabilities (Updated)
Multiple Vendors Cyrus IMAP 'imap magic plus' Buffer Overflow (Updated)
Multiple Vendors IpTables Initialization Failure (Updated)
Multiple Vendors GD Graphics Library Multiple Remote Buffer Overflows (Updated)
Multiple Vendors Gzip File Access (Updated)
Multiple Vendors nfs-utils "SIGPIPE" TCP Connection Termination Denial of Service
Multiple Vendors OpenSSH-portable Remote Information Disclosure
Multiple Vendors Kerberos 5 Double-Free Vulnerabilities (Updated)
Multiple Vendors MIT Kerberos 5 ASN.1 Decoder Remote Denial of Service (Updated)
Multiple Vendors Xpdf PDFTOPS Multiple Integer Overflows (Updated)
Multiple Vendors IMLib/IMLib2 Multiple BMP Image (Updated)
Multiple Vendors LibXPM Multiple Vulnerabilities (Updated)
Multiple Vendors Linux Kernel BINFMT_ELF Loader Multiple Vulnerabilities (Updated)
Multiple Vendors smbfs Filesystem Memory Errors Remote Denial of Service (Updated)
Multiple Vendors Linux Kernel Local DoS & Memory Content Disclosure (Updated)
Multiple Vendors Linux Kernel AMD64/EM64T TSS Limit Elevated Privileges
Multiple Vendors Linux Kernel USB Driver Kernel Memory (Updated)
Multiple Vendors Trustix LVM Utilities Insecure Temporary File Creation (Updated)
Nicolas Rougier gnubiff Denial of Service
Open Group Motif / Open Motif libXpm Vulnerabilities
OpenSSL Insecure Temporary File Creation (Updated)
PHP Arena paFileDB Hashed Passwords Access
PHPMyAdmin Multiple Remote Cross-Site Scripting (Updated)
pizzashack rssh Security Bypass
PNG Development Group Multiple Vulnerabilities in libpng (Updated)
Red Hat BCM5820 Linux Driver Buffer Overflow (Updated)
Sandino Flores Moreno Gaim Festival Plug-in Remote Denial of Service
Sublimation scponly Security Bypass
Sun Solaris 'ping' Buffer Overflow
SUSE evolution SSL Handling
SUSE ethereal Denial of Service
SUSE GNOME Input Validation
SUSE Linux Kernel Unauthorized SCSI Command
SUSE Linux Enterprise Server NFS Remote Denial Of Service & Storage Corruption
SUSE glibc Buffer Overflow
SUSE resmgr Access
Trustix 'File' Processing ELF Headers Stack Overflow

Multiple Operating Systems:

Albrecht Guenther PHProjekt 'setup.php' File Upload
Apache Jakarta Results.JSP Remote Cross-Site Scripting
Cisco IOS DHCP Input Queue Blocking Remote Denial of Service
FreeImage Interleaved Bitmap Image Buffer Overflow
Hitachi Groupmax World Wide Web Cross-Site Scripting & Directory Traversal
IBM WebSphere Commerce Default User Information Disclosure
Multiple Vendor Anti-Virus Software Detection Evasion (Updated)
Novell NetMail Default Authentication Credentials
S9Y Serendipity Remote Cross-Site Scripting
SquirrelMail Cross-Site Scripting (Updated)
SugarCRM Multiple Input Validation
Sun Java Plug-in Sandbox Security Bypass (Updated)
ViewCVS Ignores 'hide_cvsroot' and 'forbidden' Settings

http://www.us-cert.gov/cas/bulletins/SB04-343.html

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

Does BMW or Volvo do it best?

Pint-size luxury and funky style

Shopping for a new car this weekend? See how the BMW X2 stacks up against the Volvo XC40 in our side-by-side comparison.