cbcvebase.
CVE-2008-2286
published 2008-05-18

CVE-2008-2286: SQL injection vulnerability in axengine.exe in Symantec Altiris Deployment Solution 6.8.x and 6.9.x before 6.9.176 allows remote attackers to execute arbitrary…

PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
32.68%
98.1th percentile
SQL injection vulnerability in axengine.exe in Symantec Altiris Deployment Solution 6.8.x and 6.9.x before 6.9.176 allows remote attackers to execute arbitrary SQL commands via unspecified string fields in a notification packet.

Affected

2 ranges
VendorProductVersion rangeFixed in
symantecaltiris_deployment_solution
symantecaltiris_deployment_solution

Detection & IOCsextracted from sources · hover to see the quote

processaxengine.exe
port402
commandsp_configure "show advanced options", 1; reconfigure
commandsp_configure "xp_cmdshell", 1; reconfigure
commandmaster.dbo.xp_cmdshell 'cd %TEMP% && cmd.exe /c #{cmd}'
command2659, null, null;declare @querya VARCHAR(255);select @querya = 0x#{sqli};exec(@querya);--
  • Monitor TCP port 402 for inbound 'UpdateComputer' notification packets containing SQL metacharacters (e.g., semicolons, double-dashes, hex-encoded strings) in the Processor-Speed field, which is the injected numeric field.
  • Detect the specific injection pattern in the Processor-Speed field: a numeric value followed by SQL injection syntax such as 'null, null;declare @querya VARCHAR(255);select @querya = 0x...;exec(@querya);--'.
  • Alert on axengine.exe spawning cmd.exe or tftp.exe child processes, as the exploit retrieves and executes a payload via TFTP from %TEMP%.
  • Detect SQL Server xp_cmdshell enablement sequences originating from the Altiris axengine.exe process context: 'sp_configure "show advanced options", 1; reconfigure' followed by 'sp_configure "xp_cmdshell", 1; reconfigure'.
  • Detect invocation of the stored procedure 'wc_upd_disable_security' via SQL injection, which disables Deployment Console Authentication.
  • ·Exploit requires xp_cmdshell to be enabled (or enables it via SQLi); if xp_cmdshell is already disabled and the SQL Server account lacks ALTER SETTINGS permission, the shell-spawning stage will fail.
  • ·The exploit requires a TFTP client to be present on the target system to retrieve the payload; without it the attack cannot deliver the executable.
  • ·The Metasploit module targets Windows 2003 (x86) specifically; exploitation against other Windows versions may require adjustment.
  • ·The vulnerability affects Altiris Deployment Solution 6.8.x and 6.9.x before 6.9.176; versions at or above 6.9.176 are patched.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.