lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <003601c9330b$c0484b70$40d8e250$@moore@insomniasec.com>
Date: Tue, 21 Oct 2008 12:29:51 +1300
From: "Brett Moore" <brett.moore@...omniasec.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Insomnia : ISVA-081020.1 - Altiris Deployment
	Server Agent - Privilege Escalation

__________________________________________________________________

 Insomnia Security Vulnerability Advisory: ISVA-081020.1
___________________________________________________________________

 Name: Altiris Deployment Server Agent - Privilege Escalation 
 Released: 20 October 2008
  
 Vendor Link: 
    http://www.altiris.com/
  
 Affected Products:
    Altiris Deployment Server 6.X
 
 Original Advisory: 
    http://www.insomniasec.com/advisories/ISVA-081020.1.htm
 
 Researcher: 
    Brett Moore, Insomnia Security
    http://www.insomniasec.com
___________________________________________________________________

_______________

 Description
_______________

Altiris Deployment Server agent is installed as part of the 
Altiris packages to allow the Deployment Server to manage software
for machines. It is usually installed to 
C:\Program Files\Altiris\AClient and the main running agent 
is called AClient.exe. 

By default the agent runs under the Local System account and is
vulnerable to numerous Shatter Attack vulnerabilities leading
to an attacker running code under the Local System privilege.

We reported a first instance of this vulnerability which was
then patched, we then alerted Symantec to the second vulnerability.

_______________

 Details
_______________

The main windows of the AClient GUI has a hidden button that
can be seen using a resource viewer such as MS Spy++. The
button has a caption of "command prompt".

Clicking this button causes the GUI to attempt to call 
CreateProcess() with the following CommandLine parameter.
"c:\Program Files\Altiris\AClient\cmd.exe"

The AClient GUI also has a ListView control which can be
which can be used to overwrite process memory. Using the
ListView, it is possible to overwrite a static pointer
to modify the CommandLine parameter in such a way that
a cmd.exe shell is executed with SYSTEM level privileges.

We then reported the second issue.

The deployment server agent makes use of the LoadLibrary() API 
function and passes a static address of a string from with the 
data segment.

By exploiting the ListView to overwrite the data segment string, 
it is possible to cause the agent to load a malicious dll file.

>>From the aclient.exe code
004AA890   PUSH ESI
004AA891   PUSH EDI
004AA892   PUSH AClient.005858A0        ; ASCII "kernel32.dll"
004AA897   XOR EDI,EDI
004AA899   CALL DWORD PTR DS:[<&KERNEL32.LoadLibrar>;

The malicious dll file can then spawn a command shell, or similar,
running under the LocalSystem context.

_______________

 Solution
_______________

Symantec have released a security update to address this issue;
http://www.symantec.com/avcenter/security/Content/2008.10.20a.html

_______________

 Legals
_______________

The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this
information.

___________________________________________________________________
 
Insomnia Security Vulnerability Advisory: ISVA-081020.1
___________________________________________________________________

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ