Symantec Vulnerability Research
http://www.symantec.com/research
Security Advisory
Advisory ID: SYMSA-2007-003
Advisory Title: Macrovision InstallAnywhere Password and Serial
Number Bypass
Author: Brian Reilly / brian_reilly (at) symantec (dot) com [email concealed]
Release Date: 28-02-2007
Application: Macrovision InstallAnywhere Enterprise
(all versions)
Platform: All
Severity: Local Authorization Bypass
Vendor status: Verified by vendor
CVE Number: CVE-2007-1009
Reference: http://www.securityfocus.com/bid/22643
Overview:
Macrovision?s InstallAnywhere (acquired from Zero G Software in
June 2005) is a program to build multiplatform installers, and is
frequently used to distribute web services and J2EE applications.
InstallAnywhere Enterprise offers the ability to require a serial
number and/or a password as a prerequisite to installing an
application. However, it is possible to modify specific
configuration files included in an InstallAnywhere package to
circumvent these controls
Details:
InstallAnywhere packages include an XML project configuration file
named InstallScript.iap_xml. This file controls the behavior of
the installation process, including verification of a password
and/or serial number (if applicable).
Upon starting an installer, a directory is created in temporary
disk space. This directory contains multiple files, including a
ZIP archive that contains the XML project file. A LaunchAnywhere
executable is also created during the installation process and is
used to launch the actual Java application installer.
It is possible to bypass serial number and password controls by
creating a copy of this temporary directory, extracting a copy of
the XML project file from the ZIP archive, deleting the relevant
serial number or password verification sections from the XML
project file, replacing the modifiedXML project file in the ZIP
archive, and then manually starting the installation process via
the included LaunchAnywhere executable.
Vendor Response:
Macrovision has confirmed the reports provided by Symantec and
updated InstallAnywhere to resolve the issue. Current
InstallAnywhere customers will be encouraged to install version
8.0.1 as soon as it becomes available (estimated mid April).
More information regarding this version will be posted in the
release notes.
Macrovision will advise all users of InstallAnywhere to upgrade
to 8.0.1 as soon as it becomes available. Registered users of the
software will be electronically notified of the availability of
the release and directed to the necessary files.
Recommendation:
Developers should securely implement their own application-level
controls as needed, independent of the InstallAnywhere installer.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CVE-2007-1009
|