The only reason this was never disclosed was originally in hopes of 
proper vendor response... I spoke to their tech support about 5 times 
but they were just total morons. I eventually gave up.

I was going to write a shatter like attack so this could be exploited 
ala .exe file but I never had time.

Tested on Carbon Copy Version 6.0.5257

Start the Carbon Copy Service...
CCSRVC.exe is running as SYSTEM.

In the task bar you should see a little blue and white CC icon. Right 
click on it and choose show user interface. CCW32.exe will then be 
started with SYSTEM rights.

Choose help then "carbon copy help topics"... right click on the right 
hand side of the help pane and choose "view source". You should get 
notepad.exe running as SYSTEM. Click File then open... browse to cmd.exe 
right click and open it.

Now you have local SYSTEM


Carbon Copy Scheduler at one point in time had its own service as well 
so it could also be used to take SYSTEM... CCSched.exe runs as SYSTEM.
The schedulers help button can be used to take SYSTEM. The Add button 
will take you to an other screen with a browse button that can be used...

Several variations of this span the products various versions. The 
latest version I used did not contain the Scheduler Service...

I will eventually write up a proper advisory for this and an exploit 
but... like I stated above... just been too busy to write the exploit.

Enjoy.

-KF


Brooks, Shane wrote:
> Can you elaborate a bit on the privilege escalation that you mentioned?  If the hole has indeed been there over a year, why not disclose it publicy?  Does anyone else have any info on Altiris vulnerabilities?  
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html