<<< Date Index >>>     <<< Thread Index >>>

Critical Vulnerability in Altiris Deployment Server architecture




Subject: 
Design flaw in Altiris Deployment Server - Attacker can take over all clients 
on a network with Admininstrator Rights and Remote Control ability


PRODUCTS AFFECTED:
---------------------------------------------------------------------------------------------

ALTIRIS DEPLOYMENT SERVER - 5.x, 6.x, possibly other versions (untested)
POSSIBLY OTHERS? - I have not worked with any of the other Altiris products, so 
I do not know if they are vulnerable to this, similar or other possible 
exploits.


SUMMARY:
---------------------------------------------------------------------------------------------

There is a design flaw in the Deployment Server architecture that could allow 
an attacker to take complete control over all Altiris clients on a network with 
relative ease.

The flaw is that the AClient.exe process does not request any authentication 
from the Deployment server and will happily connect to any Deployment server it 
finds and give it complete Administrator rights to the machine along with the 
ability to Remotely Control it.

This flaw can be exploited via physical or wireless access to the network 
Deployment Server is on, or remotely through a compromised system anywhere on 
the network that Altiris Deployment server is on and can potentially give an 
attacker complete administrative access to some or all managed clients.

This can be done with little or no advance knowledge of the network or client 
configurations prior to the attack, depending on the AClient.exe configuration 
used.


THREAT MITIGATION:
---------------------------------------------------------------------------------------------

Due to a design flaw in the AClient.exe's lack of a proper authentication 
system, there is little you can do to prevent these exploits.

The best things you can do to protect yourself until Altiris fixes their 
product is:

1) DO NOT USE THE "Use TCP/IP Multicast to locate a Deployment Server" OPTION 
WHEN INSTALLING ACLIENT.EXE.  Put in a fixed IP address and Port number when 
installing the client.  

This will make it more difficult for someone to exploit this flaw, as they will 
have to disable the existing deployment server first, or use some other trick 
to make the attacker's machine seem like the "real" Deployment server.

2) TURN ON THE "Encrypt Sessions with Server" AND THE "Require Encrypted 
Sessions with Server" OPTIONS WHEN INSTALLING ACLIENT.EXE.  

This will require a client computer to reboot before it can be compromised, 
which creates an additional barrier of entry to an attacker, and give you more 
time to react in the event a Rogue Deployment server is detected on the network.

3) TURN ON THE "Remain Connected to the server" OPTION WHEN INSTALLING 
ACLIENT.EXE.

This will provide less of an opportunity for a client to unknowingly connect to 
a Rogue Deployment Server by maintaining the connection to the one the client 
first connected to.

4) DO NOT USE THE ?Advertise the server this client is connected to through 
multicasting? OPTION UNLESS ABSOLUTELY REQUIRED.

This would prevent a rouge deployment server from obtaining an additional 
compromise vector (the advertising AClient.exe connected to a rogue DS) to new 
machines to control.


SAMPLE EXPLOITS:
---------------------------------------------------------------------------------------------

PREREQUISITE:

BadGuy gets access to the network either (1) physically, by walking in the door 
and plugs his laptop into any network jack anywhere in the building or 
connecting to a wireless network access point inside or outside of the 
building, or (2) by gaining access to any computer on the network, such as 
through any variety of cracks, viruses, trojans, stolen password, etc..  For 
purposes of this discussion, I will assume that he simply walks in the door and 
plugs in a network cable, though it really makes no difference how he connects 
in order to exploit this flaw.

SCENARIO ONE:  AClient.exe configured to connect to Deployment Server via 
network broadcast

His laptop is running its own copy of Deployment Server ("DS" from here on) 
(which is available for a free download online (though it is limited to 10 
clients)).  When clients are booted up, they will send a broadcast request to 
the network.  If the laptop responds faster than the company's "Official" DS 
("ODS" from here on) , then the client will connect to it, and BadGuy now has 
complete control over the client through the AClient service.

Furthermore, if BadGuy can knock the official DS off the network (through any 
variety of Denial of Service attacks, ARP Poisoning, etc.) it can assume the 
role of the ODS, with the same IP address even, and take over more clients.  
Additionally BadGuy can potentially determine the IP address of the ODS by 
watching network traffic and seeing the broadcast messages that are sent to the 
ODS, in order to determine the IP address to attack and assume the role of.

SCENARIO TWO:  AClient.exe configured to connect to Deployment Server via 
direct IP address (for example, IP: 1.2.3.4) or hostname.

Same as above, but BadGuy can redirect clients to his laptop by ARP-Poisoning 
(which makes the network's switches and routers think that the laptop is the 
machine they should send connect to for the IP address 1.2.3.4) or by using a 
Denial of Service attack to knock the ODS offline, and the laptop then starts 
functioning with the IP address
1.2.3.4.

Again, complete control of all clients is on the network is easily achieved.

SCENARIO THREE:  AClient.exe configured to connect to Deployment Server via 
encrypted connection.

Same as above scenarios except that it will require that a client to reboot 
(for any reason) before the client can be hijacked.  When the client computer 
reboots, it will request new session keys from the DS, in this case the 
BadGuy's DS, and will use these keys (now provided by BadGuy's DS) to encrypt 
the session communications.


POSSIBLE FIX (for ALTRIS):
---------------------------------------------------------------------------------------------

The root of this problem is that the AClient does not require any 
authentication to connect to it.  It will happily talk to any DS that it finds.

The AClient must be modified (and therefore the Deployment Server itself) to 
provide a method of authorizing a DS to talk to AClient, and possibly the 
vice-versa.

The simplest method of fixing this would be have a password set for each 
AClient upon installation.

Upon connecting, the client and server would verify that they are talking to an 
authorized system using standard password-testing methods (ie: don?t send the 
password to the other system, send a hash of it to prevent spoofing and getting 
the password that way).  Only after authentication would the client and server 
be allowed to interact further.


VENDOR NOTIFICATION:
---------------------------------------------------------------------------------------------

Altiris tech support was notified of this problem and sent the details of this 
vulnerability on Friday, November 21, 2003.

Altiris confirmed the problem and assigned it to a support ticket which was 
escalated for management attention.

I was informed that it had been scheduled to be fixed in a future release, but 
they did not provide an ETA or any other details.

Since then no follow-up inquiries to Altiris have been responded to.

Since it has been nearly a year, with three new versions (6.0, 6.1, 6.1sp1) and 
it still does not appear to have been resolved, I am publishing this alert to 
inform systems administrators of the vulnerability to their networks.


ANALYST INFORMATION:
---------------------------------------------------------------------------------------------
 
Brian Gallagher - DiamondSea.com - brian@xxxxxxxxxxxxxx
We Make E-Commerce Easy - No Technical Experience Required
Consulting - E-Commerce - Web Site Design - Custom Programming
http://www.DiamondSea.com - Toll-Free: 800-604-1476 - Fax: 888-411-8144