[VIM] Altiris AClient privilege escalation bugs - one or two?

Steven M. Christey coley at mitre.org
Mon May 16 14:54:06 EDT 2005

Various vulnerability information sources appear to be combining two
separate Altiris Client Service for Windows (AClient) privilege
escalation reports into a single issue; however, the reported
versions, and methods of attack, suggest that there may be separate
issues, although closely related.

Both issues were announced by the same researcher, Reed Arvin.  One
was announced in November 2004 and one in April 2005.

November 2004 -

  BUGTRAQ:20041119 Privilege escalation flaw in AClient Service for
                   Windows (Version 5.6.181).

  Affected version: 5.6 SP1 Hotfix E (5.6.181)

  Method of attack: open the AClient tray icon, use View Log File,
                    launch cmd.exe with SYSTEM privileges

April 2005 -

  FULLDISC:20050427 Privilege escalation and password protection
                    bypass in Altiris Client Service for Windows
                    (Version 6.0.88)


  Affected version: 6.0.88

  Method of attack: use a program to find the "Altiris Client Service"
                    window.  Report implies that this window is
                    normally hidden - "Compile and run the following
                    code to unhide the Altiris Client Service window."
                    The user can then modify the various options in
                    the window, including disabling the "Hide client
                    tray icon box" option.  This in turn enables the
                    same attack as specified in the November 2004

A major question is whether this new post is merely a new attack
vector that the researcher had not been aware of in November, and/or a
new attack vector that's been enabled by the new version that he later
tested, or if Altiris attempted to fix the November bug but didn't do
it properly.

I'll email Reed to get some clarification, but at this point, CVE is
considering these two separate issues (CAN-2005-1590 and
CAN-2004-2070, forthcoming).

- Steve

More information about the VIM mailing list