[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4177F1BC.4020802@secnetops.com>
Date: Thu, 21 Oct 2004 13:28:28 -0400
From: KF_lists <kf_lists@...netops.com>
To: Brian Gallagher <bugtraq@...mondsea.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Critical Vulnerability in Altiris Deployment Server architecture
Altiris seems to have a wonderful track record for responding to
security threats. They pretty much blew me off too.
Anyone using Altiris Remote Control software, be aware that any user can
take SYSTEM privs from the nice tray icon.
I reported the hole to them over a year ago and I doubt they did
anything about it.
-KF
Brian Gallagher wrote:
>
> Subject:
> Design flaw in Altiris Deployment Server - Attacker can take over all clients on a network with Admininstrator Rights and Remote Control ability
>
>
> PRODUCTS AFFECTED:
> ---------------------------------------------------------------------------------------------
>
> ALTIRIS DEPLOYMENT SERVER - 5.x, 6.x, possibly other versions (untested)
> POSSIBLY OTHERS? - I have not worked with any of the other Altiris products, so I do not know if they are vulnerable to this, similar or other possible exploits.
>
>
> SUMMARY:
> ---------------------------------------------------------------------------------------------
>
> There is a design flaw in the Deployment Server architecture that could allow an attacker to take complete control over all Altiris clients on a network with relative ease.
>
> The flaw is that the AClient.exe process does not request any authentication from the Deployment server and will happily connect to any Deployment server it finds and give it complete Administrator rights to the machine along with the ability to Remotely Control it.
>
> This flaw can be exploited via physical or wireless access to the network Deployment Server is on, or remotely through a compromised system anywhere on the network that Altiris Deployment server is on and can potentially give an attacker complete administrative access to some or all managed clients.
>
> This can be done with little or no advance knowledge of the network or client configurations prior to the attack, depending on the AClient.exe configuration used.
>
>
> THREAT MITIGATION:
> ---------------------------------------------------------------------------------------------
>
> Due to a design flaw in the AClient.exe's lack of a proper authentication system, there is little you can do to prevent these exploits.
>
> The best things you can do to protect yourself until Altiris fixes their product is:
>
> 1) DO NOT USE THE "Use TCP/IP Multicast to locate a Deployment Server" OPTION WHEN INSTALLING ACLIENT.EXE. Put in a fixed IP address and Port number when installing the client.
>
> This will make it more difficult for someone to exploit this flaw, as they will have to disable the existing deployment server first, or use some other trick to make the attacker's machine seem like the "real" Deployment server.
>
> 2) TURN ON THE "Encrypt Sessions with Server" AND THE "Require Encrypted Sessions with Server" OPTIONS WHEN INSTALLING ACLIENT.EXE.
>
> This will require a client computer to reboot before it can be compromised, which creates an additional barrier of entry to an attacker, and give you more time to react in the event a Rogue Deployment server is detected on the network.
>
> 3) TURN ON THE "Remain Connected to the server" OPTION WHEN INSTALLING ACLIENT.EXE.
>
> This will provide less of an opportunity for a client to unknowingly connect to a Rogue Deployment Server by maintaining the connection to the one the client first connected to.
>
> 4) DO NOT USE THE “Advertise the server this client is connected to through multicasting” OPTION UNLESS ABSOLUTELY REQUIRED.
>
> This would prevent a rouge deployment server from obtaining an additional compromise vector (the advertising AClient.exe connected to a rogue DS) to new machines to control.
>
>
> SAMPLE EXPLOITS:
> ---------------------------------------------------------------------------------------------
>
> PREREQUISITE:
>
> BadGuy gets access to the network either (1) physically, by walking in the door and plugs his laptop into any network jack anywhere in the building or connecting to a wireless network access point inside or outside of the building, or (2) by gaining access to any computer on the network, such as through any variety of cracks, viruses, trojans, stolen password, etc.. For purposes of this discussion, I will assume that he simply walks in the door and plugs in a network cable, though it really makes no difference how he connects in order to exploit this flaw.
>
> SCENARIO ONE: AClient.exe configured to connect to Deployment Server via network broadcast
>
> His laptop is running its own copy of Deployment Server ("DS" from here on) (which is available for a free download online (though it is limited to 10 clients)). When clients are booted up, they will send a broadcast request to the network. If the laptop responds faster than the company's "Official" DS ("ODS" from here on) , then the client will connect to it, and BadGuy now has complete control over the client through the AClient service.
>
> Furthermore, if BadGuy can knock the official DS off the network (through any variety of Denial of Service attacks, ARP Poisoning, etc.) it can assume the role of the ODS, with the same IP address even, and take over more clients. Additionally BadGuy can potentially determine the IP address of the ODS by watching network traffic and seeing the broadcast messages that are sent to the ODS, in order to determine the IP address to attack and assume the role of.
>
> SCENARIO TWO: AClient.exe configured to connect to Deployment Server via direct IP address (for example, IP: 1.2.3.4) or hostname.
>
> Same as above, but BadGuy can redirect clients to his laptop by ARP-Poisoning (which makes the network's switches and routers think that the laptop is the machine they should send connect to for the IP address 1.2.3.4) or by using a Denial of Service attack to knock the ODS offline, and the laptop then starts functioning with the IP address
> 1.2.3.4.
>
> Again, complete control of all clients is on the network is easily achieved.
>
> SCENARIO THREE: AClient.exe configured to connect to Deployment Server via encrypted connection.
>
> Same as above scenarios except that it will require that a client to reboot (for any reason) before the client can be hijacked. When the client computer reboots, it will request new session keys from the DS, in this case the BadGuy's DS, and will use these keys (now provided by BadGuy's DS) to encrypt the session communications.
>
>
> POSSIBLE FIX (for ALTRIS):
> ---------------------------------------------------------------------------------------------
>
> The root of this problem is that the AClient does not require any authentication to connect to it. It will happily talk to any DS that it finds.
>
> The AClient must be modified (and therefore the Deployment Server itself) to provide a method of authorizing a DS to talk to AClient, and possibly the vice-versa.
>
> The simplest method of fixing this would be have a password set for each AClient upon installation.
>
> Upon connecting, the client and server would verify that they are talking to an authorized system using standard password-testing methods (ie: don’t send the password to the other system, send a hash of it to prevent spoofing and getting the password that way). Only after authentication would the client and server be allowed to interact further.
>
>
> VENDOR NOTIFICATION:
> ---------------------------------------------------------------------------------------------
>
> Altiris tech support was notified of this problem and sent the details of this vulnerability on Friday, November 21, 2003.
>
> Altiris confirmed the problem and assigned it to a support ticket which was escalated for management attention.
>
> I was informed that it had been scheduled to be fixed in a future release, but they did not provide an ETA or any other details.
>
> Since then no follow-up inquiries to Altiris have been responded to.
>
> Since it has been nearly a year, with three new versions (6.0, 6.1, 6.1sp1) and it still does not appear to have been resolved, I am publishing this alert to inform systems administrators of the vulnerability to their networks.
>
>
> ANALYST INFORMATION:
> ---------------------------------------------------------------------------------------------
> Brian Gallagher - DiamondSea.com - brian@...mondsea.com
> We Make E-Commerce Easy - No Technical Experience Required
> Consulting - E-Commerce - Web Site Design - Custom Programming
> http://www.DiamondSea.com - Toll-Free: 800-604-1476 - Fax: 888-411-8144
>
>
Powered by blists - more mailing lists