exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Symantec LiveUpdate Administrator 2.3.2.99 Password Reset / SQL Injection

Symantec LiveUpdate Administrator 2.3.2.99 Password Reset / SQL Injection
Posted Mar 28, 2014
Authored by S. Viehbock | Site sec-consult.com

Symantec LiveUpdate Administrator versions 2.3.2.99 and below suffer from password reset and remote SQL injection vulnerabilities.

tags | advisory, remote, vulnerability, sql injection
advisories | CVE-2014-1644, CVE-2014-1645
SHA-256 | 11f001616a25bdfdf4be738bd0ef7f77bf985f9f7a0f5c873331ffa8305ed340

Symantec LiveUpdate Administrator 2.3.2.99 Password Reset / SQL Injection

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20140328-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: Symantec LiveUpdate Administrator
vulnerable version: <= 2.3.2.99
fixed version: 2.3.2.110
impact: critical
CVE number: CVE-2014-1644, CVE-2014-1645
homepage: https://www.symantec.com
found: 2014-01-02
by: Stefan Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"LiveUpdate Administrator is an enterprise Web application that allows you to
manage updates on multiple internal Central Update servers, called Distribution
Centers. Using LiveUpdate Administrator, you download updates to the Manage
Updates folder, and then send the updates to production distribution servers
for Update clients to download, or to testing distribution centers, so that the
updates can be tested before they are distributed to production.

Source:
https://www.symantec.com/connect/articles/knowledgebase-articles-liveupdate-administrator-lua


Business recommendation:
------------------------
Attackers are able to compromise LiveUpdate Administrator at the
application and database levels. This enables access to credentials of update
servers on the network.

It is highly recommended by SEC Consult not to use this software until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
1) Unauthenticated arbitrary account password reset (CVE-2014-1644)
The reset password is not properly protected and allows unauthenticated
attackers to reset passwords of arbitrary users.
Using this vulnerability an attacker can gain full access to the LiveUpdate
Administrator web interface.
An attacker can use this vulnerability to retrieve usernames/passwords of
internal LiveUpdate servers and execute attacks against those servers.

2) Unauthenticated SQL injection (CVE-2014-1645)
Several SQL injection vulnerabilities were discovered in the application.
These vulnerabilities allow attackers to exfiltrate database contents
(including user names, passwords, server credentials) and possibly to
compromise the host system as well.


Proof of concept:
-----------------
1) Unauthenticated arbitrary account password reset (CVE-2014-1644)
The following request shows how the password of the user with the email address
"foo@bar.com" can be set to "11111111".
Affected script: /lua/forcepasswd.do

Detailed proof of concept exploits have been removed for this vulnerability.

2) Unauthenticated SQL injection (CVE-2014-1645)
The following request shows how the SQL injection in the password reset
functionality can be exploited (blind, timing).
Affected script: /lua/forcepasswd.do

Detailed proof of concept exploits have been removed for this vulnerability.

The password recovery functionality (/loginforgotpwd)is vulnerable to SQL
injection as well. Several DAO methods show incorrect use of prepared
statements and were not investigated further.


Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in Symantec LiveUpdate
Administrator version 12.1.4013, which was the most recent version at the time
of discovery.


Vendor contact timeline:
------------------------
2014-01-09: Sending advisory and proof of concept exploit via encrypted
channel.
2014-01-09: Vendor acknowledges receipt of advisory.
2014-02-24: Requesting status update.
2014-02-25: Vendor confirms vulnerability.
2014-02-25: Vendor plans release in late march.
2014-03-25: Vendor provides schedule.
2014-03-27: Vendor provides CVE-IDs and releases fixed version.
2014-03-28: SEC Consult releases coordinated security advisory.


Solution:
---------
Update to the most recent version (2.3.2.110) of Symantec LiveUpdate
Administrator.

More information can be found at:
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140327_00


Workaround:
-----------
No workaround available.


Advisory URL:
--------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com

EOF Stefan Viehböck / @2014
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close