Insomnia : ISVA-080516.1 - Altiris Deployment Solution - SQL Injection
__________________________________________________________________
Insomnia Security Vulnerability Advisory: ISVA-080516.1
___________________________________________________________________
Name: Altiris Deployment Solution - SQL Injection
Released: 16 May 2008
Vendor Link:
http://www.altiris.com/
Affected Products:
Altiris Deployment Solution 6.8.x & 6.9.x
Original Advisory:
http://www.insomniasec.com/advisories/ISVA-080516.1.htm
Researcher:
Brett Moore, Insomnia Security
http://www.insomniasec.com
___________________________________________________________________
_______________
Description
_______________
Altiris deployment solution is a suite installed to manage the
configuration and operation of machines on the network. SQL Server
is used as the backend database.
Altiris deployment solution listens for connections from the Altiris
client on port 402. It is possible to make a request that will
result in the exploitation of a SQL Injection vulnerability. This
leads to database access under the context of the Deployment server,
which typically then allows, command execution under the context of
the SQL Server.
Note that through access to the SQL server, it is possible to take
control of all clients managed by the server.
_______________
Details
_______________
When a client machine that is running Altiris client 'comes alive'
it makes contact with the Deployment server and sends a
notification packet to alert the server that the client machine
is available.
This packet is an ASCII based packet with a terminating NULL
character.
At least two of the strings contained in this packet can be used
to inject arbitrary SQL syntax into a SQL call, resulting in
SQL injection.
_______________
Solution
_______________
Symantec have released a security update to address this issue;
http://www.symantec.com/avcenter/security/Content/2008.05.14a.html
_______________
Legals
_______________
The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this
information.
___________________________________________________________________
Insomnia Security Vulnerability Advisory: ISVA-080516.1
___________________________________________________________________