CVE-2008-2286
published 2008-05-18CVE-2008-2286: SQL injection vulnerability in axengine.exe in Symantec Altiris Deployment Solution 6.8.x and 6.9.x before 6.9.176 allows remote attackers to execute arbitrary…
PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
32.68%
98.1th percentile
SQL injection vulnerability in axengine.exe in Symantec Altiris Deployment Solution 6.8.x and 6.9.x before 6.9.176 allows remote attackers to execute arbitrary SQL commands via unspecified string fields in a notification packet.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| symantec | altiris_deployment_solution | — | — |
| symantec | altiris_deployment_solution | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor TCP port 402 for inbound 'UpdateComputer' notification packets containing SQL metacharacters (e.g., semicolons, double-dashes, hex-encoded strings) in the Processor-Speed field, which is the injected numeric field. ↗
- →Detect the specific injection pattern in the Processor-Speed field: a numeric value followed by SQL injection syntax such as 'null, null;declare @querya VARCHAR(255);select @querya = 0x...;exec(@querya);--'. ↗
- →Alert on axengine.exe spawning cmd.exe or tftp.exe child processes, as the exploit retrieves and executes a payload via TFTP from %TEMP%. ↗
- →Detect SQL Server xp_cmdshell enablement sequences originating from the Altiris axengine.exe process context: 'sp_configure "show advanced options", 1; reconfigure' followed by 'sp_configure "xp_cmdshell", 1; reconfigure'. ↗
- →Detect invocation of the stored procedure 'wc_upd_disable_security' via SQL injection, which disables Deployment Console Authentication. ↗
- ·Exploit requires xp_cmdshell to be enabled (or enables it via SQLi); if xp_cmdshell is already disabled and the SQL Server account lacks ALTER SETTINGS permission, the shell-spawning stage will fail. ↗
- ·The exploit requires a TFTP client to be present on the target system to retrieve the payload; without it the attack cannot deliver the executable. ↗
- ·The Metasploit module targets Windows 2003 (x86) specifically; exploitation against other Windows versions may require adjustment. ↗
- ·The vulnerability affects Altiris Deployment Solution 6.8.x and 6.9.x before 6.9.176; versions at or above 6.9.176 are patched. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Symantec Altiris DS - SQL Injection (Metasploit)
exploitdb·2013-11-13
CVE-2008-2286 Symantec Altiris DS - SQL Injection (Metasploit)
Symantec Altiris DS - SQL Injection (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Symantec Altiris DS SQL Injection',
'Description' => %q{
This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution 6.8
to 6.9.164. The vulnerability exists on axengine.exe which fails to adequately sanitize
numeric input fields in "UpdateComputer" notification Requests. In order to spawn a shell,
several SQL injections are required in close succession, first to enable xp_cmdshell, then
retrieve the payload via TFTP and fin
Metasploit
Symantec Altiris DS SQL Injection
metasploit
Symantec Altiris DS SQL Injection
Symantec Altiris DS SQL Injection
This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution 6.8 to 6.9.164. The vulnerability exists on axengine.exe which fails to adequately sanitize numeric input fields in "UpdateComputer" notification Requests. In order to spawn a shell, several SQL injections are required in close succession, first to enable xp_cmdshell, then retrieve the payload via TFTP and finally execute it. The module also has the capability to disable or enable local application authentication. In order to work the target system must have a tftp client available.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=122167472229965&w=2http://osvdb.org/show/osvdb/45313http://secunia.com/advisories/30261http://www.exploit-db.com/exploits/29552http://www.securityfocus.com/archive/1/492127/100/0/threadedhttp://www.securityfocus.com/archive/1/492229/100/0/threadedhttp://www.securityfocus.com/bid/29198http://www.securitytracker.com/id?1020024http://www.symantec.com/avcenter/security/Content/2008.05.14a.htmlhttp://www.vupen.com/english/advisories/2008/1542/referenceshttp://www.zerodayinitiative.com/advisories/ZDI-08-024/https://exchange.xforce.ibmcloud.com/vulnerabilities/42436http://marc.info/?l=bugtraq&m=122167472229965&w=2http://osvdb.org/show/osvdb/45313http://secunia.com/advisories/30261http://www.exploit-db.com/exploits/29552http://www.securityfocus.com/archive/1/492127/100/0/threadedhttp://www.securityfocus.com/archive/1/492229/100/0/threadedhttp://www.securityfocus.com/bid/29198http://www.securitytracker.com/id?1020024http://www.symantec.com/avcenter/security/Content/2008.05.14a.htmlhttp://www.vupen.com/english/advisories/2008/1542/referenceshttp://www.zerodayinitiative.com/advisories/ZDI-08-024/https://exchange.xforce.ibmcloud.com/vulnerabilities/42436
2008-05-18
Published