<<< Date Index >>>     <<< Thread Index >>>

[Fwd: Altiris Carbon Copy Remote Control local SYSTEM exploitation.]



--- Begin Message --- The only reason this was never disclosed was originally in hopes of proper vendor response... I spoke to their tech support about 5 times but they were just total morons. I eventually gave up.

I was going to write a shatter like attack so this could be exploited ala .exe file but I never had time.

Tested on Carbon Copy Version 6.0.5257

Start the Carbon Copy Service...
CCSRVC.exe is running as SYSTEM.

In the task bar you should see a little blue and white CC icon. Right click on it and choose show user interface. CCW32.exe will then be started with SYSTEM rights.

Choose help then "carbon copy help topics"... right click on the right hand side of the help pane and choose "view source". You should get notepad.exe running as SYSTEM. Click File then open... browse to cmd.exe right click and open it.

Now you have local SYSTEM


Carbon Copy Scheduler at one point in time had its own service as well so it could also be used to take SYSTEM... CCSched.exe runs as SYSTEM. The schedulers help button can be used to take SYSTEM. The Add button will take you to an other screen with a browse button that can be used...

Several variations of this span the products various versions. The latest version I used did not contain the Scheduler Service...

I will eventually write up a proper advisory for this and an exploit but... like I stated above... just been too busy to write the exploit.

Enjoy.

-KF


Brooks, Shane wrote:
Can you elaborate a bit on the privilege escalation that you mentioned? If the hole has indeed been there over a year, why not disclose it publicy? Does anyone else have any info on Altiris vulnerabilities?


--- End Message ---