Advisories

SYBSEC-ADV15: Symantec Altiris Client Service Privilege Escalation Vulnerability

Title	`Symantec Altiris Client Service Privilege Escalation Vulnerability`
ID	`SYBSEC-ADV15`
Severity	`HIGH`
History	`20.AUG.2007 Vulnerability discovered 12.MAR.2008 Vendor contacted 14.MAY.2008 Release Hotfix`
Scope	`Privilege Escalation`
Platforms	`Altiris Client Service`
Author	`Alex Hernandez <ahernandez [at] sybsecurity [dot] com>`
URL	`http://www.sybsecurity.com/advisors/SYBSEC-ADV15-Symantec_Altiris_Client_Privilege_Escalation_Vulnerability`
Release	`Public`
Overview	`Altiris Inc. is a subsidiary of Symantec specializing in service-oriented management software which allows organizations to manage IT assets. They also provide software for web services, security, and systems management products. Altiris has solutions to meet regulatory and legal requirements. This includes auditing, security, change management and patch management of software.`
Affected versions	`The vulnerability has been reported in versions Altiris Client Service Altiris Client 6.5.248 Altiris Client 6.5.299 Altiris Client 6.8.378`
Description	`A vulnerability has been identified in Symantec Altiris Service, which could be exploited by local attackers to obtain elevated privileges.`
Workaround	`Upgrade the software version you can download from: http://kb.altiris.com`
Acknowledgments	`This vulnerability have been found and researched by: - Alex Hernandez <ahernandez [at] sybsecurity [dot] com> - Eduardo Vela <sirdarckcat [at] gmail [dot] com> - - We were very very patient. Thanks to Craig Ozancin and Mike (Symantec Corp.) for your response and support.`
References	`* Altiris: http://www.altiris.com * Symantec Corp: http://www.symantec.com/avcenter/security/Content/2008.05.14a.html * SYB Security: http://www.sybsecurity.com`
Details	`This issue is caused by an unspecified error in the Altiris Client Service, which could allow malicious users to execute arbitrary code with elevated privileges via a WM_COMMANDHELP attack.`
Exploit tool	`sybsec-adv15.txt`