- Posts: 1700
- Thank you received: 0
Norton Liveupdate musings
20 years 11 months ago #2093
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Norton Liveupdate musings
Neon, the details for the IP yours is conecting to are :
inetnum: 203.134.38.224 - 203.134.38.255
netname: MLOGOTHETISPTYLTD
descr: iPrimus Customer
country: AU
admin-c: JD29-AP
tech-c: HA13-AP
mnt-by: MAINT-PRIMUS-AU
changed: lambo@primus.com.au 20000724
status: ASSIGNED NON-PORTABLE
source: APNIC
changed: hm-changed@apnic.net 20020827
person: Jim Dandy
nic-hdl: JD29-AP
e-mail: netops@iprimus.com.au
address: L3 1 Alfred Circular Quay
address: Sydney NSW Australia
address: 2000
phone: +61-2-94232400
fax-no: +61-2-94232410
country: AU
changed: netops@primus.com.au 20030724
mnt-by: MAINT-PRIMUS-AU
source: APNIC
Are you from australia ?
I'm quite keen on figuring out the protocol.. think about it.. if someone knew how it gets the latest update, someone could possibly get a webserver to serve up a fake update... maybe one that ruins all the definitions. Just a thought...
I personally think they chose to have liveupdate work over http because most corporate firewalls would be configured to allow outbound requests to port 80.. that would save users from having to get an admin to poke a hole in the firewall for liveupdate.
Its quite stupid actually.. You'd think that they'd encrypt the traffic at the very least (I don't think they do).. not to mention I wonder whether the update it downloads is checked against an MD5 hash from somewhere else. They do give the hashes on their own website..
Sorry about the mammoth post.
inetnum: 203.134.38.224 - 203.134.38.255
netname: MLOGOTHETISPTYLTD
descr: iPrimus Customer
country: AU
admin-c: JD29-AP
tech-c: HA13-AP
mnt-by: MAINT-PRIMUS-AU
changed: lambo@primus.com.au 20000724
status: ASSIGNED NON-PORTABLE
source: APNIC
changed: hm-changed@apnic.net 20020827
person: Jim Dandy
nic-hdl: JD29-AP
e-mail: netops@iprimus.com.au
address: L3 1 Alfred Circular Quay
address: Sydney NSW Australia
address: 2000
phone: +61-2-94232400
fax-no: +61-2-94232410
country: AU
changed: netops@primus.com.au 20030724
mnt-by: MAINT-PRIMUS-AU
source: APNIC
Are you from australia ?
I'm quite keen on figuring out the protocol.. think about it.. if someone knew how it gets the latest update, someone could possibly get a webserver to serve up a fake update... maybe one that ruins all the definitions. Just a thought...
I personally think they chose to have liveupdate work over http because most corporate firewalls would be configured to allow outbound requests to port 80.. that would save users from having to get an admin to poke a hole in the firewall for liveupdate.
Its quite stupid actually.. You'd think that they'd encrypt the traffic at the very least (I don't think they do).. not to mention I wonder whether the update it downloads is checked against an MD5 hash from somewhere else. They do give the hashes on their own website..
Sorry about the mammoth post.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 11 months ago #2100
by Neon
Replied by Neon on topic Re: Norton Liveupdate musings
Yeah I am from Australia, and my isp is IPrimus
I also checked just then with live update and it still connected to the same IP as I stated before.
.. Which program/site u use to get the info about the IP addy? I use the ARIN site, but dosnt contain that much info.
I also checked just then with live update and it still connected to the same IP as I stated before.
.. Which program/site u use to get the info about the IP addy? I use the ARIN site, but dosnt contain that much info.
20 years 11 months ago #2101
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Norton Liveupdate musings
Neon, so thats a good thing,... looks to me like they have some sort of regional mirror system for the liveupdate,, does that sound like a bad guess ? You could hit that webserver and check what its running..
just telnet to the ip, port 80, and type
[code:1]
HEAD / HTTP/1.0
<enter>
<enter>
[/code:1]
let me know what it returns as the server.. I'm guessing you'll see Akamai Cacheing system as well...
as for where I picked up that info.. good old command line whois.. basically does the same thing as arin.net whois. Thing is, different regions are allocated IPs by different authorities.. for example, Asia gets them from Apnic.net whereas the americas get them from Arin and Europe from Ripe.net..
I think i queried apnic.. which allocates australia as well i think... if you query the wrong one, you'll get something like this.
whois -h whois.arin.net 203.134.38.224
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net
NetRange: 202.0.0.0 - 203.255.255.255
CIDR: 202.0.0.0/7
NetName: APNIC-CIDR-BLK
NetHandle: NET-202-0-0-0-1
Parent:
NetType: Allocated to APNIC
Thus you can see that its allocated by apnic.. and then you query the correct one.
just telnet to the ip, port 80, and type
[code:1]
HEAD / HTTP/1.0
<enter>
<enter>
[/code:1]
let me know what it returns as the server.. I'm guessing you'll see Akamai Cacheing system as well...
as for where I picked up that info.. good old command line whois.. basically does the same thing as arin.net whois. Thing is, different regions are allocated IPs by different authorities.. for example, Asia gets them from Apnic.net whereas the americas get them from Arin and Europe from Ripe.net..
I think i queried apnic.. which allocates australia as well i think... if you query the wrong one, you'll get something like this.
whois -h whois.arin.net 203.134.38.224
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net
NetRange: 202.0.0.0 - 203.255.255.255
CIDR: 202.0.0.0/7
NetName: APNIC-CIDR-BLK
NetHandle: NET-202-0-0-0-1
Parent:
NetType: Allocated to APNIC
Thus you can see that its allocated by apnic.. and then you query the correct one.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 11 months ago #2105
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Norton Liveupdate musings
A bit of research found me the Liveupdate Administrators guide...
Here it is :
www.its.uiowa.edu/cs/helpdesk/virus/PDF_docs/norton/Luadmin.pdf
Look at Chapter one, page 8 -- How the liveupdate client works
Looks like I was right, it does try and pick the nearest server.. and the download is via http and ftp (they don't specify when each is used). They do list all the files that are used in the liveupdate process, as well as the name of the file it downloads.. but there's no mention of the protocol.. as far as I could see, the webserver that it was updating from did not seem to understand regular HTTP requests..
Apparently administrators can even set up their own internal liveupdate server so that people don't have to keep using the Internet link to download updates.. that would be a neat idea.. as it would be faster as well..
Does anyone have this implemented ? And if so, do you know how the client requests from the server ? There appears to be some form of authentication :
Of course my whole notion may be hair brained.. but if you figure out how to handle the requests from the client, wouldn't it be possible to serve a file of your choosing.. the client downloads it, and obviously installs the update package.. what if your update patches norton antivirus to do some nasty things.. or even better, patches liveupdate to send you some stuff... it already has internet access after all
Sigh.. the glory of idle conjecture...
Here it is :
www.its.uiowa.edu/cs/helpdesk/virus/PDF_docs/norton/Luadmin.pdf
Look at Chapter one, page 8 -- How the liveupdate client works
Looks like I was right, it does try and pick the nearest server.. and the download is via http and ftp (they don't specify when each is used). They do list all the files that are used in the liveupdate process, as well as the name of the file it downloads.. but there's no mention of the protocol.. as far as I could see, the webserver that it was updating from did not seem to understand regular HTTP requests..
Apparently administrators can even set up their own internal liveupdate server so that people don't have to keep using the Internet link to download updates.. that would be a neat idea.. as it would be faster as well..
Does anyone have this implemented ? And if so, do you know how the client requests from the server ? There appears to be some form of authentication :
LiveUpdate 1.6x and 1.7 secure the download process by checking file signatures before delivering any LiveUpdate content to the user. In addition, LiveUpdate 1.7 secures and authenticates downloaded packages to each client, server, and gateway.
Each new update is accompanied by a cryptographic signature, which is then signed using a private key that is stored on a secure Symantec server. The resulting digital signature is stored in a signature file, which is compressed into the Livetri.zip file along with the catalog file. If any of the authentication checks fail, a descriptive error message appears and the activity is recorded in the log file. On Windows NT computers, an error is also written to the NT event log.
Of course my whole notion may be hair brained.. but if you figure out how to handle the requests from the client, wouldn't it be possible to serve a file of your choosing.. the client downloads it, and obviously installs the update package.. what if your update patches norton antivirus to do some nasty things.. or even better, patches liveupdate to send you some stuff... it already has internet access after all
Sigh.. the glory of idle conjecture...
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 11 months ago #2112
by Neon
Replied by Neon on topic Re: Norton Liveupdate musings
I tried doing that thing you said about telnetting into the IP address with port 80. I used PuTTY, It worked, but it disconnected me really quickly, it only gave me enough time to type "HEAD / HTT" then the connection was dropped... Must have a Very short time out eh?
But to combat the short timeout, I used ID Serve from grc.com and it returned these results:
[code:1]Initiating server query ...
Looking up the domain name for IP: 203.134.38.238
The domain name for the IP address is: 203-134-38-238.cust.syd.iprimus.net.au
Connecting to the server on standard HTTP port: 80
[Connected] Requesting the server's default page.
The server returned the following response headers:
HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 132
Expires: Sun, 21 Dec 2003 14:55:18 GMT
Date: Sun, 21 Dec 2003 14:55:18 GMT
Connection: close
Query complete.[/code:1]
But yeah I agree with you on saying that it does use a closest mirror system.
When I captured the packets during the live update process I noticed the following things about DNS
My computer sent a DNS query to liveupdate.symantecliveupdate.com
The response had 5 entries.
[code:1]1. liveupdate.symantecliveupdate.com = liveupdate.symantec.com
2. liveupdate.symantec.com = liveupdate.symantec.d4p.net
3. liveupdate.symantec.d4p.net = a188.x.akamai.net
4. a188.x.akamai.net = 203.134.38.231
5. a188.x.akamai.net = 203.134.38.238[/code:1]
and there we have it, my live update according to TCPView was using 203.134.38.238
That’s also interesting with making your own live update server, I know a place that runs 30 comps and needs to update their definitions regularly, so that would be a ease on the bandwidth when an update is available
But to combat the short timeout, I used ID Serve from grc.com and it returned these results:
[code:1]Initiating server query ...
Looking up the domain name for IP: 203.134.38.238
The domain name for the IP address is: 203-134-38-238.cust.syd.iprimus.net.au
Connecting to the server on standard HTTP port: 80
[Connected] Requesting the server's default page.
The server returned the following response headers:
HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 132
Expires: Sun, 21 Dec 2003 14:55:18 GMT
Date: Sun, 21 Dec 2003 14:55:18 GMT
Connection: close
Query complete.[/code:1]
But yeah I agree with you on saying that it does use a closest mirror system.
When I captured the packets during the live update process I noticed the following things about DNS
My computer sent a DNS query to liveupdate.symantecliveupdate.com
The response had 5 entries.
[code:1]1. liveupdate.symantecliveupdate.com = liveupdate.symantec.com
2. liveupdate.symantec.com = liveupdate.symantec.d4p.net
3. liveupdate.symantec.d4p.net = a188.x.akamai.net
4. a188.x.akamai.net = 203.134.38.231
5. a188.x.akamai.net = 203.134.38.238[/code:1]
and there we have it, my live update according to TCPView was using 203.134.38.238
That’s also interesting with making your own live update server, I know a place that runs 30 comps and needs to update their definitions regularly, so that would be a ease on the bandwidth when an update is available
20 years 11 months ago #2114
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Norton Liveupdate musings
Hmm odd about that manual HTTP request... should work just fine...
I wrote a little perl script that I stick in my path.. then in run I just type
id <ip-address or hostname> and it gives me back a bunch of useful stuff about the server. Really simple stuff, but can be useful sometimes.
Perhaps I'll setup another box here and make it a LU server and capture the whole process.. even if nothing comes out of it, it'll make for some interesting protocol analysis.. its been awhile since I read bytes off the wire.... in hex... with my left eye closed... while standing on my head.
I wrote a little perl script that I stick in my path.. then in run I just type
id <ip-address or hostname> and it gives me back a bunch of useful stuff about the server. Really simple stuff, but can be useful sometimes.
Perhaps I'll setup another box here and make it a LU server and capture the whole process.. even if nothing comes out of it, it'll make for some interesting protocol analysis.. its been awhile since I read bytes off the wire.... in hex... with my left eye closed... while standing on my head.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.130 seconds