Shulou(Shulou.com)05/31 Report--

How to achieve Altiris privilege upgrade vulnerability analysis, I believe that many inexperienced people are at a loss about this. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Preface

In a recent penetration testing practice, we found a security vulnerability in the latest version of Symantec Management Agent (Altiris) that would allow attackers to elevate rights.

Overview

When the Altiris agent performs a task scan (such as a software scan), the SYSTEM level service re-requests permissions from the NSI and OutBox directories after the scan task is completed. That is:

C:\ ProgramFiles\ Altiris\ Inventory\ OutboxC:\ ProgramFiles\ Altiris\ Inventory\ NSI

The permission requested will give members of the 'Everyone' group full control of the two file directories and allow any standard user to create links in place of the directory. Therefore, the 'Everyone' permission will be granted to other alternative directories, so that any file or folder in that directory will inherit this full control permission.

This means that any low-privileged user can escalate privileges on an end device with Symantec Management Agent v7.6, v8.0 or v8.1RU7 installed.

Analysis & discovery

In the process of performing penetration testing, we often encounter a variety of host devices with different types of terminal software installed. These software are likely to be our entry point, because we can use them to achieve empowerment, or horizontal penetration.

In these terminal management software, we often see Symantec's Altiris. This software is a terminal management framework that not only helps organizations or administrators ensure that devices are equipped with the latest version of operating system patches or software updates, but also checks user or group permissions.

The version we tested this time was v7.6, but Symantec also confirmed that all Altiris versions prior to the release of the latest patch would be affected by this issue.

We found that directories in the Altiris file schema have 'Everyone- full Control' permissions applied. These directories appear to store legitimate content, such as scanning configuration files, XML files, and so on. But the permissions for these directories and files use a simple line of PowerShell code and allow us to view the ACL permissions of any Windows host:

Get-ChildItemC:\-Recurse-ErrorAction SilentlyContinue | ForEach-Object {try {Get-Acl-Path$_.FullName | Select-Object pschildname,pspath,accesstostring} catch {}} | Export-Csv C:\ temp\ acl.csv-NoTypeInformation

When we look at the timestamps of these file directories, we find that the file timestamps in these directories change from day to day. After in-depth study, we found that these files will be modified after Altiris performs a system or software scan. Now, this can happen several times a day, depending on the needs of different organizations for configuration and scanning tasks.

The next thing is very interesting, and when we discover this feature, we intend to see if the attack methods recently disclosed by Cylance are effective here [Resources].

The following is the directory permissions for the NSI folder, which are the same as the Outbox directory:

Next, we can try to use James Forshaw's symbolic connection test tool to redirect the directory to another location, and then create a mount point for another directory to see if the files in this directory will be overwritten, and the fact is that we succeeded. Of course, we can also use sysinternals's linking tool, but this tool requires that the source directory does not exist, but our directory already exists and has' Everyone' permission. For example:

If we delete this directory, we will not have permission to implement this kind of attack. James Forshaw's tools allow you to overwrite existing directories:

Another Windows tool called mklink.exe can also be used in this attack technique, but this tool requires high-level permissions, so it doesn't apply here, because all we have to do is raise power.

Attack analysis

How should we achieve the attack? Don't worry, there are many ways to exploit this vulnerability, but the easiest way is to try to overwrite the entire Altiris root directory ("C:\ Program Files\ Altiris\ AlritisAgent\") so that we can modify the service code running under the SYSTEM account, that is, AeNXSAgent.exe.

The following screenshot shows the permissions of the Altiris Agent directory and the AsNXSAgent.exe service code before the mount point modifies the permissions:

Next, we create a mount point that points to the Altiris Agent directory, and after running it, we can give each file full permissions, which is very simple to implement. Here we can use James Forshaw's symbolic link test tool to create and verify mount points.

Next, we just need the target host to perform the scan task again, and the screenshot below shows our results:

Once we have full control of AeXNSAgent.exe, we can replace the service code and restart the host to gain SYSTEM permissions.

Altiris Management Agent v7.6, v8.0 and 8.1 RU7 are all affected by this vulnerability, and we strongly recommend that you upgrade and update your software as soon as possible.

After reading the above, do you know how to analyze Altiris privilege escalation vulnerabilities? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.