ID

VAR-200402-0066

CVE

CVE-2003-0994

TITLE

Symantec LiveUpdate Local Privilege Escalation Vulnerability

DESCRIPTION

The GUI functionality for an interactive session in Symantec LiveUpdate 1.70.x through 1.90.x, as used in Norton Internet Security 2001 through 2004, SystemWorks 2001 through 2004, and AntiVirus and Norton AntiVirus Pro 2001 through 2004, AntiVirus for Handhelds v3.0, allows local users to gain SYSTEM privileges. Symantec LiveUpdate has been reported prone to a local privilege escalation vulnerability. This issue presents itself when a LiveUpdate interactive session is created. The privileges of the process, if different from the user, are not lowered. This may allow a local attacker to employ the vulnerable LiveUpdate component to spawn arbitrary executables with the privileges of the LiveUpdate process. Symantec LiveUpdate is a program used by a large number of Symantec application systems for automatic upgrades. When a non-privileged user logs in, a small window of \"there are Live Updates available, click here to run LiveUpdate\" will be displayed in the Windows task bar. If you click to run online automatic update, you will find LUALL.exe and LUCOMS~1 The .exe will run under the context of the user SYSTEM, click the Help button, and a \"LiveUpdate Help\" window will appear, click the file and open it, browse c:\windows\system32, and then you can run the cmd.exe program with SYSTEM permissions. Secure Network Operations, Inc. http://www.secnetops.com/research Strategic Reconnaissance Team research[at]secnetops[.]com Team Lead Contact kf[at]secnetops[.]com Spam Contact `rm -rf /`@snosoft.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Basic Explanation ************************************************************************ High Level Description : LiveUpdate allows local users to become SYSTEM What to do : run LiveUpdate and apply latest patches. Basic Technical Details ************************************************************************ Proof Of Concept Status : SNO has proof of concept. Low Level Description : Symantec, the world leader in Internet security technology, provides a broad range of content and network security software and appliance solutions to individuals, enterprises and service providers. The company is a leading provider of client, gateway and server security solutions for virus protection, firewall and virtual private network, vulnerability management, intrusion detection, Internet content and email filtering, and remote management technologies and security services to enterprises and service providers around the world. Symantec's Norton brand of consumer security products is a leader in worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide operations in 36 countries. Symantec's Norton Internet Security 2004 provides essential protection from viruses, hackers, and privacy threats. This issue is similar to the issues that were uncovered in the Windows Help API by both Brett Moore and our SRT team in late 2003. Full details available at: http://www.secnetops.biz/research/SRT2004-01-09-1022.txt and http://www.secnetops.biz/research/SRT2004-01-09-1022.jpg Vendor Status : Symantec promptly attended to the issue and was very responsive during all phases of discovery / research and patching. Fixes are now available via LiveUpdate. Bugtraq URL : To be assigned. CVE candidate CAN-2003-0994. Disclaimer ---------------------------------------------------------------------- This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories but can be obtained under contract.. Contact our sales department at sales[at]secnetops[.]com for further information on how to obtain proof of concept code. ---------------------------------------------------------------------- Secure Network Operations, Inc. || http://www.secnetops.com "Embracing the future of technology, protecting you."

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

local

TYPE

access verification error

EXPLOIT AVAILABILITY

EXTERNAL IDS

REFERENCES

CREDITS

Secure Network Operations※ research@secnetops.com

SOURCES

LAST UPDATE DATE

2024-08-14T14:09:00.382000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE