Insomnia : ISVA-080516.2 - Altiris Deployment Solution - Domain Account Disclosure

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Insomnia : ISVA-080516.2 - Altiris Deployment Solution - Domain Account Disclosure
From: "Brett Moore" <brett.moore@xxxxxxxxxxxxxxx>
Date: Mon, 19 May 2008 10:21:31 +1200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: Aci5NYXtV40wckYTSRWy7EJs5NGePQ==

__________________________________________________________________

 Insomnia Security Vulnerability Advisory: ISVA-080516.2
___________________________________________________________________

 Name: Altiris Deployment Solution - Domain Account Disclosure
 Released: 16 May 2008
  
 Vendor Link: 
    http://www.altiris.com/
  
 Affected Products:
    Altiris Deployment Solution 6.8.x & 6.9.x
 
 Original Advisory: 
    http://www.insomniasec.com/advisories/ISVA-080516.2.htm
 
 Researcher: 
    Brett Moore, Insomnia Security
    http://www.insomniasec.com
___________________________________________________________________

_______________

 Description
_______________

Altiris deployment solution is a suite installed to manage the 
configuration and operation of machines on the network. Part of 
the Deployment solution setup involves configuring the domain 
accounts to be used to access the various clients for imaging 
and configuration jobs.

Altiris deployment solution listens for connections from the 
Altiris client on port 402. It is possible to make a request to 
this port that will result in the encrypted domain credentials 
being returned.  

The encryption is not salted or specific to the install, allowing 
for offsite decryption of the credentials.

_______________

 Details
_______________

The retrieved encrypted credentials can be placed into a local
installation, through direct insertion into the SQL server
database. The GUI can then be used to view the decrypted 
credentials.

Alternatively a standalone tool to decrypt the credentials could 
easily be written.

_______________

 Solution
_______________

Symantec have released a security update to address this issue;
http://www.symantec.com/avcenter/security/Content/2008.05.14a.html

_______________

 Legals
_______________

The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this
information.

___________________________________________________________________
 
Insomnia Security Vulnerability Advisory: ISVA-080516.2
___________________________________________________________________

Prev by Date: Smeego CMS vulnerability
Next by Date: Re: Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
Previous by thread: Smeego CMS vulnerability
Next by thread: Wordpress Malicious File Execution Vulnerability
Index(es):
- Date
- Thread