Vulnerabilities > CVE-2015-1484 - Local Privilege Escalation vulnerability in Symantec Workspace Streaming 6.1/7.5

047910
CVSS 6.9 - MEDIUM
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
symantec
nessus
NVD
Published: 2015-04-22
Updated: 2017-01-03

Summary

Unquoted Windows search path vulnerability in the agent in Symantec Workspace Streaming (SWS) 6.1 before SP8 MP2 HF7 and 7.5 before SP1 HF4, when AppMgrService.exe is configured as a service, allows local users to gain privileges via a Trojan horse executable file in the %SYSTEMDRIVE% directory, as demonstrated by program.exe. <a href="http://cwe.mitre.org/data/definitions/426.html">CWE-426: Untrusted Search Path</a>

Vulnerable Configurations

Part Description Count
Application
Symantec
2

Nessus

NASL familyWindows
NASL idSYMANTEC_WSA_SYM15-004.NASL
descriptionThe version of the Symantec Workspace Streaming (SWS) agent installed on the remote Windows host is affected by a local privilege escalation vulnerability due to an unquoted search path in AppMgrService.exe. A local attacker can exploit this to execute arbitrary code with local system privileges. Note that Symantec Workspace Streaming was formerly known as Altiris Streaming System.
last seen2020-06-01
modified2020-06-02
plugin id83117
published2015-04-28
reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/83117
titleSymantec Workspace Streaming Agent Unquoted Service Path Local Privilege Escalation (SYM15-004)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(83117);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

  script_cve_id("CVE-2015-1484");
  script_bugtraq_id(73925);

  script_name(english:"Symantec Workspace Streaming Agent Unquoted Service Path Local Privilege Escalation (SYM15-004)");
  script_summary(english:"Checks for unquoted service.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has software installed that uses an unquoted service
path.");
  script_set_attribute(attribute:"description", value:
"The version of the Symantec Workspace Streaming (SWS) agent installed
on the remote Windows host is affected by a local privilege escalation
vulnerability due to an unquoted search path in AppMgrService.exe. A
local attacker can exploit this to execute arbitrary code with local
system privileges.

Note that Symantec Workspace Streaming was formerly known as Altiris
Streaming System.");
  # https://support.symantec.com/en_US/article.SYMSA1318.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6a72938c");
  script_set_attribute(attribute:"solution", value:
"Upgrade SWS agents to 6.1 SP8 MP2 HF7 / 7.5 SP1 HF4 or higher.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1484");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/04/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/a:symantec:workspace_streaming_agent");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:workspace_streaming");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_enum_services_params.nasl");
  script_require_keys("SMB/Services/Enumerated", "SMB/svc/AppMgrService/path");

  exit(0);
}

include("smb_func.inc");

function extract_service_path()
{
  local_var item, idx;

  item = _FCT_ANON_ARGS[0];
  # If the first character is a '"', the path is enclosed, so just use
  # that to extract the path
  if (item =~ '^"')
  {
    item = ereg_replace(pattern:'^("[^"]+").*', string:item, replace:"\1");
  }
  else
  {
    # First extract any extra paths from the arguments
    item = ereg_replace(pattern:'^(\\s+)?("?[A-Za-z]:\\\\[^:]+).*', string:item, replace:"\2");

    # Service arguments use '-' or '/' characters for flags
    # First look for '/' flags
    if ('/' >< item)
    {
      idx = stridx(item, '/');
      item = item - substr(item, idx);
    }

    # Now look for ' -' flags
    if (' -' >< item)
    {
      idx = stridx(item, ' -');
      item = item - substr(item, idx);
    }

    # Some arguments don't use a flag
    item = ereg_replace(pattern:'^([A-Za-z]:\\\\.*\\\\[^\\.]+\\.[^\\s]+).*', string:item, replace:"\1");
  }
  return item;
}

agentservice = get_kb_item_or_exit('SMB/svc/AppMgrService/path');

path = extract_service_path(agentservice);

# If there is a space in the path and it isn't enclosed in '"'
# there is a problem
if (' ' >< path && path !~ '^".*"$')
{
  # Make sure the whitespace isn't only at the end of the path
  if (path !~ '^[^\\s]+\\s+$')
  {
    # Set a KB item so we can ignore this in the generic check if this
    # plugin catches it
    set_kb_item(name:"SMB/Unquoted/AppMgrService", value:"TRUE");

    port = get_kb_item('SMB/transport');
    if (isnull(port)) port = 445;

    if (report_verbosity > 0)
    {
      report =
        '\nNessus found the following service with an untrusted path : ' +
        '\n  Service name : AppMgrService ' +
        '\n  Service path : ' + path + '\n';
      security_warning(port:port, extra:report);
    }
    else security_warning(port);
    exit(0);
  }
}
audit(AUDIT_HOST_NOT, 'affected');

References