Altiris Deployment Solution File Execution (Sept 23, 2009)


Symantec Altiris Deployment Solution is a set of tools that provide software deployment functions. It can be run on multiple platforms such as Windows, Linux and so on. And it can be used remotely to deploy an operating system or applications to multiple computers in a batch.

When Symantec Altiris Deployment Solution is used as a web console, an ActiveX control AeXNSPkgDLLib.dll has to be installed on the client. The associated ClassID for this control is “63716E93-033D-48B0-8A2F-8E8473FD7AC7” and its ProgID is “Altiris.AeXNSPkgDL”. It can be instantiated in a web page using the tag or via scripting. For example,

< object id="ctrl" classid="clsid:{63716E93-033D-48B0-8A2F-8E8473FD7AC7}" >

The ActiveX control has several methods which offer different functionalities. Download and DownloadAndInstall methods are among them. They have the following prototypes:

void Download(BSTR Src, BSTR Dest)


void DownloadAndInstall(BSTR Src, BSTR Dest,     BSTR InstCmdLine, BSTR UpgdCmdLine, BSTR ProdCode)

When the method Download or DownloadAndInstall is invoked on the ActiveX object, the file referenced by Src is downloaded via HTTP and copied to the path Dest on the web client’s system. For example,

obj.DownloadAndInstall("", "C:file.exe", "C:file.exe","","");

Where the remote file will be save as the local file “C:file.exe”. No confirmation dialog is presented to the user to alert them on the procedure.

Since a malicious program can easily be downloaded into the target without the user’s knowledge, this design flaw is considered as remote program execution vulnerability. In addition, DownloadAndInstall provides arbitrary program execution facility with its InstCmdLine parameter. These methods can be leveraged by attackers to execute arbitrary programs on the vulnerable host.

SonicWALL has release an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following signature has been released:

  • IPS:4465 Symantec Altiris Deployment Solution ActiveX File Download

This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Pin It on Pinterest