Altiris Deployment Solution File Execution

October 6, 2009

Symantec Altiris Deployment Solution is a set of tools that provide software deployment functions. It can be run on multiple platforms such as Windows, Linux and so on. And it can be used remotely to deploy an operating system or applications to multiple computers in a batch.

When Symantec Altiris Deployment Solution is used as a web console, an ActiveX control AeXNSPkgDLLib.dll has to be installed on the client. The associated ClassID for this control is "63716E93-033D-48B0-8A2F-8E8473FD7AC7" and its ProgID is "Altiris.AeXNSPkgDL". It can be instantiated in a web page using the tag or via scripting. For example,

< object id="ctrl" classid="clsid:{63716E93-033D-48B0-8A2F-8E8473FD7AC7}" >

The ActiveX control has several methods which offer different functionalities. Download and DownloadAndInstall methods are among them. They have the following prototypes:

void Download(BSTR Src, BSTR Dest)


void DownloadAndInstall(BSTR Src, BSTR Dest,     BSTR InstCmdLine, BSTR UpgdCmdLine, BSTR ProdCode)

When the method Download or DownloadAndInstall is invoked on the ActiveX object, the file referenced by Src is downloaded via HTTP and copied to the path Dest on the web client's system. For example,

obj.DownloadAndInstall("", "C:file.exe", "C:file.exe","","");

Where the remote file will be save as the local file "C:file.exe". No confirmation dialog is presented to the user to alert them on the procedure.

Since a malicious program can easily be downloaded into the target without the user's knowledge, this design flaw is considered as remote program execution vulnerability. In addition, DownloadAndInstall provides arbitrary program execution facility with its InstCmdLine parameter. These methods can be leveraged by attackers to execute arbitrary programs on the vulnerable host.

SonicWALL has release an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following signature has been released:

  • IPS:4465 Symantec Altiris Deployment Solution ActiveX File Download

This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.