__________________________________________________________________

 Insomnia Security Vulnerability Advisory: ISVA-080623.1
___________________________________________________________________

 Name: Altiris Notification Server Agent - Privilege Escalation 
 Released: 23 June 2008
 Advisory Update: 21 October 2008
  
 Vendor Link: 
    http://www.altiris.com/
      
 Affected Products:
    Altiris Notification Server Agent 6.X
 
 Original Advisory: 
    http://www.insomniasec.com/advisories/ISVA-080623.1.htm
 
 Researcher: 
    Brett Moore, Insomnia Security
    http://www.insomniasec.com
___________________________________________________________________

_______________

 Description
_______________

Altiris Notification agent is installed as part of the 
Altiris packages to allow the Notification Server to manage updates
for machines. It is usually installed to 
C:\Program Files\Altiris\Altiris Agent and the main running agent 
is called AeXNSAgent.exe. 

By default the agent runs under the Local System account and is
vulnerable to numerous Shatter Attack vulnerabilities leading
to an attacker running code under the Local System privilege.

We reported a first instance of this vulnerabilty which was
then patched, we then alerted Symantec to the second vulnerabilty.

_______________

 Details
_______________

The about window of the agent contains a Rich Text Box. This can 
be viewed by clicking the About icon.

Exploitation of the RichTextBox takes the following steps;
* Locate the RichTextBox window
* Set the text to cmd
* Set the EditWordBreakProc of the RichTextBox to the location of 
  the system() API call
* Invoke the EditWordbreakProc function by double clicking the text.

The initial patch that was released made changes to the message 
handler that prevents the messages used from reaching the window.

We then reported the second issue.

The notification agent has a listview as part of the visible Gui.
This listview can be used to overwrite memory within the 
vulnerable process, leading to arbitrary command execution. This
has been heavily documented in various whitepapers and list posts.
By overwriting a function pointer, the unhandled exception pointer
or the PEB lock pointer, obtaining a system level shell is trivial.

_______________

 Solution
_______________

Symantec have released a security update to address this issue;
http://www.symantec.com/avcenter/security/Content/2008.06.17.html

_______________

 Legals
_______________

The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this
information.

___________________________________________________________________
 
Insomnia Security Vulnerability Advisory: ISVA-080623.1
___________________________________________________________________