[原文]The Altiris Client Service for Windows (ACLIENT.EXE) 6.0.88 allows local users to disable password protection and access the administrative interface by finding and showing the "Altiris Client Service" hidden window, disabling the password protection, disabling the "Hide client tray icon box" option, then opening the AClient tray icon and using the View Log File option, a different vulnerability than CVE-2004-2070.
Altiris Deployment Solution Client allows a user to activate the client interface by easily launching the software from an icon in the Windows system tray. It is reported that a local user may exploit the client interface to escalate privileges.
It should be noted that although this vulnerability is reported to exist in Altiris Deployment Solution version 5.6 SP1 (Hotfix E) other versions might also be affected.
1. Right click on the Altiris Client Service icon in the Taskbar and choose View Log File
2. Notepad should open. Click File, click Open
3. In the Files of type: field choose All Files
4. Navagate to '%WINDIR%\System32'. Right click on 'cmd.exe' and choose Open
6. A new command shell with launch with SYSTEM privileges
Altiris Deployment Solution contains a flaw in its ACLIENT.EXE service that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered by manipulating the Aclient interface to launch a windows command prompt which runs at the LocalSystem account level. From within this command prompt, the user can launch any program at those escalated privileges. This flaw may lead to a loss of Integrity.
Upgrade to version 6.1 SP1 Hotfix D or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.