Software Engineering Institute

The ScriptLogic product from ScriptLogic, Inc. provides remote system administration capabilities for Microsoft Windows systems in a domain. A vulnerability in the RunAdmin service included in version 4.01 of the ScriptLogic software could allow a local user to gain administrative access to any workstations in the domain that are managed by the ScriptLogic server. According to ScriptLogic, "the ScriptLogic RunAdmin services (SLRAserver.exe & SLRAclient.exe) are used to perform configurations on the client workstation when the user logging on does not have Administrative privileges."

The RunAdmin service runs in the context of a domain account (typically SLSVCUSER or similar) that is added to the Local Administrators group by the installation program. Version 4.01 of ScriptLogic, as tested by the CERT/CC, fails to prevent normal users from making requests supplied with configuration data of their own choosing. As a result, it is possible for normal users to use the RunAdmin service to execute arbitrary commands with the privileges of the SLSVCUSER account. If a malicious end-user requests his/her own configuration be executed by a ScriptLogic client, this would in turn cause the ScriptLogic RunAdmin client service to be installed to the machine (if it was not already present), and the RunAdmin client to execute the applications specified in the malicious configuration with the privileges of a local administrator (i.e., under the security context of the RunAdmin client service).

Since the SLSVCUSER account is normally part of the Administrators group, exploitation results in a root compromise of the system. Furthermore, because SLSVCUSER is a domain account, local access can be leveraged to gain administrative access to other ScriptLogic-managed workstations in the domain which have had the SLSVCUSER account added to their own local Administrators group (e.g., other workstations in the domain that have had the RunAdmin client service installed).

This vulnerability affects workstations running Microsoft Windows NT, Microsoft Windows 2000, and Microsoft Windows XP. Although the ScriptLogic software also runs on Microsoft Windows 95, Microsoft Windows 98, and Microsoft Windows Me, this vulnerability is irrelevant to systems running these versions of Windows. Since they do not feature distinct users and security contexts, access to a user account in the domain, which is a necessary precondition to exploitation of this vulnerability, is already tantamount to administrative access on these platforms. Furthermore, since the RunAdmin service is an optional component of the ScriptLogic system, sites that have not installed this service during the initial installation of the ScriptLogic software are not affected by this vulnerability.

The CERT/CC has verified the existence of this vulnerability in version 4.01 of the ScriptLogic software. Version 4.14 of the ScriptLogic software has been tested by the CERT/CC and shown not to contain the vulnerability. The RunAdmin service has been replaced in this version of the ScriptLogic software.

Local users can gain administrative control of workstations with the ScriptLogic RunAdmin service installed. This access can be leveraged to gain administrative control of other workstations in the domain that have had the SLSVCUSER account added to the Local Administrators group (e.g., as a result of the ScriptLogic RunAdmin service being installed) and have the default administrative shares enabled.

Upgrade to the latest version of the software

Version 4.14 of the ScriptLogic software has been tested by the CERT/CC and shown not to contain the vulnerability. Users of potentially vulnerable versions of the software are encouraged to upgrade to this version.