Multiple vulnerabilities have been identified in Symantec Altiris Deployment Solution, which could be exploited by attackers or malicious users to disclose sensitive information, bypass security restrictions, inject SQL queries, or execute arbitrary code with elevated privileges.
The first issue is caused by an unspecified SQL injection error, which could allow a user with authorized network access to execute arbitrary code on a vulnerable system.
The second vulnerability is caused by an unspecified error that could allow a remote user with authorized network access to request and obtain encrypted domain credentials without being authenticated.
The third issue is caused by an unspecified error in the Agent's user interface, which could allow a non-privileged user to access a privileged command prompt.
The fourth vulnerability is caused by an error when handling common graphical user interface elements (tooltip), which could allow a non-privileged user to access a command prompt running under elevated privileges.
The fifth issue is caused due to the application creating several registry keys with insufficient access security, which could allow local users to modify or delete these registry keys, resulting in possible unauthorized access to system information or a denial of service.
The sixth vulnerability is caused due to insecure permissions being set on the install directory, which could be exploited by local attackers to replace application components with arbitrary code that will be run with administrative privileges.
Credits
Vulnerabilities reported by Brett Moore (Insomnia Security), ZDI (Zero Day Initiative), Alex Hernandez (sybsecurity.com) and Eduardo Vela.
ChangeLog
2008-05-15 : Initial release
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
