carboncopy.txt

`The only reason this was never disclosed was originally in hopes of   
proper vendor response... I spoke to their tech support about 5 times   
but they were just total morons. I eventually gave up.  
  
I was going to write a shatter like attack so this could be exploited   
ala .exe file but I never had time.  
  
Tested on Carbon Copy Version 6.0.5257  
  
Start the Carbon Copy Service...  
CCSRVC.exe is running as SYSTEM.  
  
In the task bar you should see a little blue and white CC icon. Right   
click on it and choose show user interface. CCW32.exe will then be   
started with SYSTEM rights.  
  
Choose help then "carbon copy help topics"... right click on the right   
hand side of the help pane and choose "view source". You should get   
notepad.exe running as SYSTEM. Click File then open... browse to cmd.exe   
right click and open it.  
  
Now you have local SYSTEM  
  
  
Carbon Copy Scheduler at one point in time had its own service as well   
so it could also be used to take SYSTEM... CCSched.exe runs as SYSTEM.  
The schedulers help button can be used to take SYSTEM. The Add button   
will take you to an other screen with a browse button that can be used...  
  
Several variations of this span the products various versions. The   
latest version I used did not contain the Scheduler Service...  
  
I will eventually write up a proper advisory for this and an exploit   
but... like I stated above... just been too busy to write the exploit.  
  
Enjoy.  
  
-KF  
  
  
Brooks, Shane wrote:  
> Can you elaborate a bit on the privilege escalation that you mentioned? If the hole has indeed been there over a year, why not disclose it publicy? Does anyone else have any info on Altiris vulnerabilities?   
>   
  
`