[NT] Altiris Deployment Server Agent Privilege Escalation
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 2 Nov 2008 15:08:16 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Altiris Deployment Server Agent Privilege Escalation
Altiris Deployment Server agent is installed as part of the Altiris
packages to allow the Deployment Server to manage software
for machines. It is usually installed to C:\Program Files\Altiris\AClient
and the main running agent is called AClient.exe. By default the Altiris
agent runs under the Local System account and is vulnerable to numerous
Shatter Attack vulnerabilities leading to an attacker running code under
the Local System privilege.
* Altiris Deployment Server version 6.X
The main windows of the AClient GUI has a hidden button that can be seen
using a resource viewer such as MS Spy++. The button has a caption of
Clicking this button causes the GUI to attempt to call CreateProcess()
with the following CommandLine parameter. "c:\Program
The AClient GUI also has a ListView control which can be which can be used
to overwrite process memory. Using the ListView, it is possible to
overwrite a static pointer to modify the CommandLine parameter in such a
way that a cmd.exe shell is executed with SYSTEM level privileges.
We then reported the second issue.
The deployment server agent makes use of the LoadLibrary() API function
and passes a static address of a string from with the
By exploiting the ListView to overwrite the data segment string, it is
possible to cause the agent to load a malicious dll file.
004AA890 PUSH ESIFrom the aclient.exe code
004AA891 PUSH EDI
004AA892 PUSH AClient.005858A0 ; ASCII "kernel32.dll"
004AA897 XOR EDI,EDI
004AA899 CALL DWORD PTR DS:[;
The malicious dll file can then spawn a command shell, or similar, running
under the LocalSystem context.
Symantec have released a security update to address this issue:
The information has been provided by <mailto:brett.moore@xxxxxxxxxxxxxxx>
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] LibSPF2 DNS TXT Record Parsing Bug
- Next by Date: [NEWS] VLC Media Player TiVo ty Processing Stack Overflow Vulnerability
- Previous by thread: [UNIX] LibSPF2 DNS TXT Record Parsing Bug
- Next by thread: [NEWS] VLC Media Player TiVo ty Processing Stack Overflow Vulnerability