[Full-Disclosure] Altiris Carbon Copy Remote Control local SYSTEM exploitation.
From: KF_lists (kf_lists_at_secnetops.com)
Date: 10/22/04
- Previous message: Zach Bennett: "Re: [Full-Disclosure] regex vs hash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: undisclosed-recipients: ; Date: Fri, 22 Oct 2004 10:40:26 -0400
The only reason this was never disclosed was originally in hopes of
proper vendor response... I spoke to their tech support about 5 times
but they were just total morons. I eventually gave up.
I was going to write a shatter like attack so this could be exploited
ala .exe file but I never had time.
Tested on Carbon Copy Version 6.0.5257
Start the Carbon Copy Service...
CCSRVC.exe is running as SYSTEM.
In the task bar you should see a little blue and white CC icon. Right
click on it and choose show user interface. CCW32.exe will then be
started with SYSTEM rights.
Choose help then "carbon copy help topics"... right click on the right
hand side of the help pane and choose "view source". You should get
notepad.exe running as SYSTEM. Click File then open... browse to cmd.exe
right click and open it.
Now you have local SYSTEM
Carbon Copy Scheduler at one point in time had its own service as well
so it could also be used to take SYSTEM... CCSched.exe runs as SYSTEM.
The schedulers help button can be used to take SYSTEM. The Add button
will take you to an other screen with a browse button that can be used...
Several variations of this span the products various versions. The
latest version I used did not contain the Scheduler Service...
I will eventually write up a proper advisory for this and an exploit
but... like I stated above... just been too busy to write the exploit.
Enjoy.
-KF
Brooks, Shane wrote:
> Can you elaborate a bit on the privilege escalation that you mentioned? If the hole has indeed been there over a year, why not disclose it publicy? Does anyone else have any info on Altiris vulnerabilities?
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Zach Bennett: "Re: [Full-Disclosure] regex vs hash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
