Altiris Deployment Solution AClient.exe Unauthenticated Remote Access

2004-10-21T08:12:44
ID OSVDB:11031
Type osvdb
Reporter Brian Gallagher(brian@diamondsea.com)
Modified 2004-10-21T08:12:44

Description

Vulnerability Description

Deployment Solution contains a flaw that may allow a malicious user to gaim full administrative access to clients on the network. The issue is due to the AClient.exe process not requesting any authentication from the server and is triggered when the attacker tricks a client into connecting to a malicious Deployment Solution server. It is possible that the flaw may allow the attacker to gain full administrative access and remote control of the client, resulting in a loss of integrity.

Technical Description

Attack vectors for different AClient.exe setups:

CASE 1: AClient.exe is configured to connect to Deployment server via broadcast request. Attacker connects malicious machine running Deployment server to the network. Clients that just booted up send a broadcast request to the network. If the malicious Deployment server responds to the broadcast request faster than the official Deployment server or assumes the role of the official Deployment server, then the attacker gains full control of the client through the AClient.exe process.

CASE 2: AClient.exe configured to connect to Deployment server via direct IP address. Attacker takes the official Deployment server off the network through DoS or ARP poisoning. The attacker then runs malicious Deployment server with same IP address as official Deployment server. This allows the attacker to gain full control of clients through the AClient.exe process.

CASE 3: AClient.exe configured to connect to Deployment server via encrypted connection. Attacker takes the official Deployment server off the network through DoS or ARP poisoning. The attacker then runs malicious Deployment server with same IP address as official Deployment server. Successful exploitation requires the user to reboot, in which case the client will request new Deployment server session keys from the now malicious Deployment server and will use these to encrypt communication. This also allows the attacker to gain full control of clients through the AClient.exe process.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): 1) Do not use the "Use TCP/IP Multicast to locate a Deployment Server" option when installing aclient.exe. Put in a fixed IP address and Port number when installing the client. 2) Turn on the "Encrypt Sessions with Server" and the "Require Encrypted Sessions with Server" options when installing aclient.exe. 3) Turn on the "Remain Connected to the server" option when installing aclient.exe. 4) Do not use the "Advertise the server this client is connected to through multicasting" option unless absolutely required.

Short Description

Deployment Solution contains a flaw that may allow a malicious user to gaim full administrative access to clients on the network. The issue is due to the AClient.exe process not requesting any authentication from the server and is triggered when the attacker tricks a client into connecting to a malicious Deployment Solution server. It is possible that the flaw may allow the attacker to gain full administrative access and remote control of the client, resulting in a loss of integrity.

References:

Vendor URL: http://www.altiris.com/products/deploymentsol/ Security Tracker: 1011862 Secunia Advisory ID:12944 Packet Storm: http://packetstormsecurity.org/0410-advisories/altiris.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-10/0211.html ISS X-Force ID: 17814 CVE-2004-2622 Bugtraq ID: 11498