[VIM] Altiris AClient privilege escalation bugs - one or two?

security curmudgeon jericho at attrition.org
Wed May 18 06:19:12 EDT 2005

: Various vulnerability information sources appear to be combining two 
: separate Altiris Client Service for Windows (AClient) privilege 
: escalation reports into a single issue; however, the reported versions, 
: and methods of attack, suggest that there may be separate issues, 
: although closely related.
: Both issues were announced by the same researcher, Reed Arvin.  One was 
: announced in November 2004 and one in April 2005.

To me that stands out and suggests two issues. Reed Arvin has disclosed a 
number of vulnerabilities.. seems he would point out "still not patched" 
if it was the same issue.

: November 2004 -

11995 Altiris Deployment Solution AClient Service Taskbar Local Privilege Escalation

:   Method of attack: open the AClient tray icon, use View Log File,
:                     launch cmd.exe with SYSTEM privileges
: April 2005 -

15896 Altiris Deployment Solution AClient Password Protection Bypass
15897 Altiris Deployment Solution AClient System Tray Icon Privilege Escalation

I broke this out as two seperate issues. If the client was running under 
an account with privileges, just bypassing the password protection could 
give an attacker increased privileges. If it isn't, then using the second 
issue can escalate as well.

:   Method of attack: use a program to find the "Altiris Client Service"
:                     window.  Report implies that this window is
:                     normally hidden - "Compile and run the following
:                     code to unhide the Altiris Client Service window."
:                     The user can then modify the various options in
:                     the window, including disabling the "Hide client
:                     tray icon box" option.  This in turn enables the
:                     same attack as specified in the November 2004
:                     report.

So OSVDB 11995 and 15897 are duplicates in our database it seems. Both use 
the same method to gain privileges, the only difference is the time that 
passed between disclosures.

: A major question is whether this new post is merely a new attack vector 
: that the researcher had not been aware of in November, and/or a new 
: attack vector that's been enabled by the new version that he later 
: tested, or if Altiris attempted to fix the November bug but didn't do it 
: properly.
: I'll email Reed to get some clarification, but at this point, CVE is 
: considering these two separate issues (CAN-2005-1590 and CAN-2004-2070, 
: forthcoming).

Based on the above, yes. 

More information about the VIM mailing list