Servers Alive: Local Privilege Escalation

[Michael Starks <secure () michaelstarks com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

#######################################################################
Advisory information:

Title: Servers Alive - Privilege Escalation
CVE Candidate Number: CAN-2005-0352
Application: Servers Alive
Versions known affected: 4.1, 5.0; other versions not tested.
Classification: Privilege Escalation
Author: Michael Starks
Release date: March 16, 2005

#######################################################################
1. Introduction
2. Synopsis
3. Discussion
4. Impact
5. Resolution and/or workaround
6. Vendor Notification timeline
7. Acknowledgments
#######################################################################

1. Introduction
================
- From www.woodstone.nu:

Servers alive allows you to easily monitor hundreds of servers, or Internet 
services on a server, for uptime and availability. When it detects that a 
monitored service or computer has gone down it can make you aware through a 
variety of means.

2. Synopsis
============
A privilege-escalation vulnerability exists, allowing a local non-privileged 
user to obtain SYSTEM.

3. Discussion
==============
Servers Alive can be run in two modes; as an application or as a 
service.  When run as a service, the application is permitted to interact 
with the desktop and runs under the context of SYSTEM.  When loading the 
'Local manual' under help, the application does not drop privileges.  
Consequently, it is possible to assume SYSTEM privileges by:

Viewing the source of the help file, which opens in Notepad.
In Notepad, selecting File, Open.
Launching a system utility such as cmd.exe.

4. Impact
==========
Full local compromise of the host on which Servers Alive is installed.

5. Resolution and/or workaround
================================
The vendor considers this to be a problem with Visual Basic, the language in 
which the application is written.  The vendor has no immediate plans to fix 
the bug and will update documentation to reflect the risks associated with 
running the application under the local SYSTEM account and allowing desktop 
interaction.

To workaround this bug, the following recommendations may be helpful:
- -Only allow trusted users with Administrator-level privileges to logon 
interactively.
- -Physically secure the server on which the application is installed.
- -Do not run the application as a service.

6. Vendor Notification timeline
================================
01/24/05: Vendor notified.
01/25/05: Vendor responded, discussion ensued
01/29/05: CERT notified
02/18/05: CVE Candidate Number assigned from CERT
03/15/05: Advisory publicly released

7. Acknowledgments
=================
- -Dirk Bulinckx of Woodstone Consulting for his quick response and subsequent 
discussion
- -Ralph Durkee of Durkee Consulting, Inc. for advisory review
- -CERT for coordination of CVE candidate number

#######################################################################
Copyright 2005, Michael Starks.  Some rights reserved.  The information in 
this advisory is believed to be true and accurate, however the author offers 
no guarantees of suitability for any purpose.  The research contained within 
is for education purposes only.  This advisory is licensed under the Creative 
Commons Attribution-NonCommercial-NoDerivs License. To view a copy of this 
license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/ or send a 
letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 
94305, USA.
#######################################################################
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCOGTdso0LP9XgARoRAoX3AKDyORraLveX1estm0lqsAEBZu6mdgCg6WQR
fr2//16oim4X/CZ19RzOKl4=
=4uWt
-----END PGP SIGNATURE-----