Servers Alive: Local Privilege Escalation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

#######################################################################
Advisory information:

Title: Servers Alive - Privilege Escalation
CVE Candidate Number: CAN-2005-0352
Application: Servers Alive
Versions known affected: 4.1, 5.0; other versions not tested.
Classification: Privilege Escalation
Author: Michael Starks
Release date: March 16, 2005

#######################################################################

1. Introduction

2. Synopsis

3. Discussion

4. Impact

5. Resolution and/or workaround

6. Vendor Notification timeline

7. Acknowledgments
   #######################################################################

8. Introduction
   ================

• From www.woodstone.nu:

Servers alive allows you to easily monitor hundreds of servers, or Internet
services on a server, for uptime and availability. When it detects that a
monitored service or computer has gone down it can make you aware through a
variety of means.

2. Synopsis
   ============
   A privilege-escalation vulnerability exists, allowing a local non-privileged
   user to obtain SYSTEM.

3. Discussion
   ==============
   Servers Alive can be run in two modes; as an application or as a
   service.  When run as a service, the application is permitted to interact
   with the desktop and runs under the context of SYSTEM.  When loading the
   'Local manual' under help, the application does not drop privileges.
   Consequently, it is possible to assume SYSTEM privileges by:

Viewing the source of the help file, which opens in Notepad.
In Notepad, selecting File, Open.
Launching a system utility such as cmd.exe.

4. Impact
   ==========
   Full local compromise of the host on which Servers Alive is installed.

5. Resolution and/or workaround
   ================================
   The vendor considers this to be a problem with Visual Basic, the language in
   which the application is written. The vendor has no immediate plans to fix
   the bug and will update documentation to reflect the risks associated with
   running the application under the local SYSTEM account and allowing desktop
   interaction.

To workaround this bug, the following recommendations may be helpful:

• -Only allow trusted users with Administrator-level privileges to logon
  interactively.
• -Physically secure the server on which the application is installed.
• -Do not run the application as a service.

6. Vendor Notification timeline
   ================================
   01/24/05: Vendor notified.
   01/25/05: Vendor responded, discussion ensued
   01/29/05: CERT notified
   02/18/05: CVE Candidate Number assigned from CERT
   03/15/05: Advisory publicly released

7. Acknowledgments
   =================

• -Dirk Bulinckx of Woodstone Consulting for his quick response and subsequent
  discussion
• -Ralph Durkee of Durkee Consulting, Inc. for advisory review
• -CERT for coordination of CVE candidate number

#######################################################################
Copyright 2005, Michael Starks.  Some rights reserved.  The information in
this advisory is believed to be true and accurate, however the author offers
no guarantees of suitability for any purpose.  The research contained within
is for education purposes only.  This advisory is licensed under the Creative
Commons Attribution-NonCommercial-NoDerivs License. To view a copy of this
license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/ or send a
letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California
94305, USA.
#######################################################################
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCOGTdso0LP9XgARoRAoX3AKDyORraLveX1estm0lqsAEBZu6mdgCg6WQR
fr2//16oim4X/CZ19RzOKl4=
=4uWt
-----END PGP SIGNATURE-----