Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20779
HistoryOct 29, 2008 - 12:00 a.m.

Insomnia : ISVA-081020.1 - Altiris Deployment Server Agent - Privilege Escalation

2008-10-2900:00:00
vulners.com
7
JSON

Insomnia Security Vulnerability Advisory: ISVA-081020.1

Name: Altiris Deployment Server Agent - Privilege Escalation
Released: 20 October 2008

Vendor Link:
http://www.altiris.com/

Affected Products:
Altiris Deployment Server 6.X

Original Advisory:
http://www.insomniasec.com/advisories/ISVA-081020.1.htm

Researcher:
Brett Moore, Insomnia Security
http://www.insomniasec.com

Description

Altiris Deployment Server agent is installed as part of the
Altiris packages to allow the Deployment Server to manage software
for machines. It is usually installed to
C:\Program Files\Altiris\AClient and the main running agent
is called AClient.exe.

By default the agent runs under the Local System account and is
vulnerable to numerous Shatter Attack vulnerabilities leading
to an attacker running code under the Local System privilege.

We reported a first instance of this vulnerability which was
then patched, we then alerted Symantec to the second vulnerability.

Details

The main windows of the AClient GUI has a hidden button that
can be seen using a resource viewer such as MS Spy++. The
button has a caption of "command prompt".

Clicking this button causes the GUI to attempt to call
CreateProcess() with the following CommandLine parameter.
"c:\Program Files\Altiris\AClient\cmd.exe"

The AClient GUI also has a ListView control which can be
which can be used to overwrite process memory. Using the
ListView, it is possible to overwrite a static pointer
to modify the CommandLine parameter in such a way that
a cmd.exe shell is executed with SYSTEM level privileges.

We then reported the second issue.

The deployment server agent makes use of the LoadLibrary() API
function and passes a static address of a string from with the
data segment.

By exploiting the ListView to overwrite the data segment string,
it is possible to cause the agent to load a malicious dll file.

From the aclient.exe code
004AA890 PUSH ESI
004AA891 PUSH EDI
004AA892 PUSH AClient.005858A0 ; ASCII "kernel32.dll"
004AA897 XOR EDI,EDI
004AA899 CALL DWORD PTR DS:[<&KERNEL32.LoadLibrar>;

The malicious dll file can then spawn a command shell, or similar,
running under the LocalSystem context.

Solution

Symantec have released a security update to address this issue;
http://www.symantec.com/avcenter/security/Content/2008.10.20a.html

Legals

The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this
information.

Insomnia Security Vulnerability Advisory: ISVA-081020.1

JSON