[VIM] Altiris AClient privilege escalation bugs - one or two?
Steven M. Christey
coley at mitre.org
Mon May 16 14:54:06 EDT 2005
Various vulnerability information sources appear to be combining two
separate Altiris Client Service for Windows (AClient) privilege
escalation reports into a single issue; however, the reported
versions, and methods of attack, suggest that there may be separate
issues, although closely related.
Both issues were announced by the same researcher, Reed Arvin. One
was announced in November 2004 and one in April 2005.
November 2004 -
BUGTRAQ:20041119 Privilege escalation flaw in AClient Service for
Windows (Version 5.6.181).
URL:http://www.securityfocus.com/archive/1/381649
Affected version: 5.6 SP1 Hotfix E (5.6.181)
Method of attack: open the AClient tray icon, use View Log File,
launch cmd.exe with SYSTEM privileges
April 2005 -
FULLDISC:20050427 Privilege escalation and password protection
bypass in Altiris Client Service for Windows
(Version 6.0.88)
URL:http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0614.html
Affected version: 6.0.88
Method of attack: use a program to find the "Altiris Client Service"
window. Report implies that this window is
normally hidden - "Compile and run the following
code to unhide the Altiris Client Service window."
The user can then modify the various options in
the window, including disabling the "Hide client
tray icon box" option. This in turn enables the
same attack as specified in the November 2004
report.
A major question is whether this new post is merely a new attack
vector that the researcher had not been aware of in November, and/or a
new attack vector that's been enabled by the new version that he later
tested, or if Altiris attempted to fix the November bug but didn't do
it properly.
I'll email Reed to get some clarification, but at this point, CVE is
considering these two separate issues (CAN-2005-1590 and
CAN-2004-2070, forthcoming).
- Steve
More information about the VIM
mailing list