__________________________________________________________________ Insomnia Security Vulnerability Advisory: ISVA-081020.1 ___________________________________________________________________ Name: Altiris Deployment Server Agent - Privilege Escalation Released: 20 October 2008 Vendor Link: http://www.altiris.com/ Affected Products: Altiris Deployment Server 6.X Original Advisory: http://www.insomniasec.com/advisories/ISVA-081020.1.htm Researcher: Brett Moore, Insomnia Security http://www.insomniasec.com ___________________________________________________________________ _______________ Description _______________ Altiris Deployment Server agent is installed as part of the Altiris packages to allow the Deployment Server to manage software for machines. It is usually installed to C:\Program Files\Altiris\AClient and the main running agent is called AClient.exe. By default the agent runs under the Local System account and is vulnerable to numerous Shatter Attack vulnerabilities leading to an attacker running code under the Local System privilege. We reported a first instance of this vulnerability which was then patched, we then alerted Symantec to the second vulnerability. _______________ Details _______________ The main windows of the AClient GUI has a hidden button that can be seen using a resource viewer such as MS Spy++. The button has a caption of "command prompt". Clicking this button causes the GUI to attempt to call CreateProcess() with the following CommandLine parameter. "c:\Program Files\Altiris\AClient\cmd.exe" The AClient GUI also has a ListView control which can be which can be used to overwrite process memory. Using the ListView, it is possible to overwrite a static pointer to modify the CommandLine parameter in such a way that a cmd.exe shell is executed with SYSTEM level privileges. We then reported the second issue. The deployment server agent makes use of the LoadLibrary() API function and passes a static address of a string from with the data segment. By exploiting the ListView to overwrite the data segment string, it is possible to cause the agent to load a malicious dll file. <em class="quotelev1">>From the aclient.exe code</em> 004AA890 PUSH ESI 004AA891 PUSH EDI 004AA892 PUSH AClient.005858A0 ; ASCII "kernel32.dll" 004AA897 XOR EDI,EDI 004AA899 CALL DWORD PTR DS:[<&KERNEL32.LoadLibrar>; The malicious dll file can then spawn a command shell, or similar, running under the LocalSystem context. _______________ Solution _______________ Symantec have released a security update to address this issue; http://www.symantec.com/avcenter/security/Content/2008.10.20a.html _______________ Legals _______________ The information is provided for research and educational purposes only. Insomnia Security accepts no liability in any form whatsoever for any direct or indirect damages associated with the use of this information. ___________________________________________________________________ Insomnia Security Vulnerability Advisory: ISVA-081020.1 ___________________________________________________________________