search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ScriptLogic RunAdmin service can allow users to gain administrative access

Vulnerability Note VU#231705

Original Release Date: 2003-04-30 | Last Revised: 2003-04-30

Overview

There is a vulnerability in version 4.01 of ScriptLogic that may allow local or domain users to gain administrative access to workstations running the ScriptLogic RunAdmin service.

Description

The ScriptLogic product from ScriptLogic, Inc. provides remote system administration capabilities for Microsoft Windows systems in a domain. A vulnerability in the RunAdmin service included in version 4.01 of the ScriptLogic software could allow a local user to gain administrative access to any workstations in the domain that are managed by the ScriptLogic server. According to ScriptLogic, "the ScriptLogic RunAdmin services (SLRAserver.exe & SLRAclient.exe) are used to perform configurations on the client workstation when the user logging on does not have Administrative privileges."

The RunAdmin service runs in the context of a domain account (typically SLSVCUSER or similar) that is added to the Local Administrators group by the installation program. Version 4.01 of ScriptLogic, as tested by the CERT/CC, fails to prevent normal users from making requests supplied with configuration data of their own choosing. As a result, it is possible for normal users to use the RunAdmin service to execute arbitrary commands with the privileges of the SLSVCUSER account. If a malicious end-user requests his/her own configuration be executed by a ScriptLogic client, this would in turn cause the ScriptLogic RunAdmin client service to be installed to the machine (if it was not already present), and the RunAdmin client to execute the applications specified in the malicious configuration with the privileges of a local administrator (i.e., under the security context of the RunAdmin client service).

Since the SLSVCUSER account is normally part of the Administrators group, exploitation results in a root compromise of the system. Furthermore, because SLSVCUSER is a domain account, local access can be leveraged to gain administrative access to other ScriptLogic-managed workstations in the domain which have had the SLSVCUSER account added to their own local Administrators group (e.g., other workstations in the domain that have had the RunAdmin client service installed).

This vulnerability affects workstations running Microsoft Windows NT, Microsoft Windows 2000, and Microsoft Windows XP. Although the ScriptLogic software also runs on Microsoft Windows 95, Microsoft Windows 98, and Microsoft Windows Me, this vulnerability is irrelevant to systems running these versions of Windows. Since they do not feature distinct users and security contexts, access to a user account in the domain, which is a necessary precondition to exploitation of this vulnerability, is already tantamount to administrative access on these platforms. Furthermore, since the RunAdmin service is an optional component of the ScriptLogic system, sites that have not installed this service during the initial installation of the ScriptLogic software are not affected by this vulnerability.

The CERT/CC has verified the existence of this vulnerability in version 4.01 of the ScriptLogic software. Version 4.14 of the ScriptLogic software has been tested by the CERT/CC and shown not to contain the vulnerability. The RunAdmin service has been replaced in this version of the ScriptLogic software.

Impact

Local users can gain administrative control of workstations with the ScriptLogic RunAdmin service installed. This access can be leveraged to gain administrative control of other workstations in the domain that have had the SLSVCUSER account added to the Local Administrators group (e.g., as a result of the ScriptLogic RunAdmin service being installed) and have the default administrative shares enabled.

Solution

Upgrade to the latest version of the software

Version 4.14 of the ScriptLogic software has been tested by the CERT/CC and shown not to contain the vulnerability. Users of potentially vulnerable versions of the software are encouraged to upgrade to this version.

Vendor Information

231705
 

ScriptLogic Corporation Affected

Notified:  October 18, 2002 Updated: April 30, 2003

Status

Affected

Vendor Statement

ScriptLogic Corporation agrees with CERT’s assessment that version 4.14 of ScriptLogic does not contain this vulnerability. Additionally, ScriptLogic has never received any reports from customers regarding this vulnerability in any version of the software.

ScriptLogic encourages all customers to use the most current version of the software. The current version is available for download at the ScriptLogic web support center located at http://www.scriptlogic.com/support/scriptlogic/sl40/default.asp.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This document was written by Chad R Dougherty. Technical assistance during testing was provided by Art Manion and Matt Lytle. The CERT/CC appreciates ScriptLogic, Inc.'s cooperation in providing an updated copy of the software for the purpose of vulnerability testing.

Other Information

CVE IDs: None
Severity Metric: 5.27
Date Public: 2003-04-30
Date First Published: 2003-04-30
Date Last Updated: 2003-04-30 20:10 UTC
Document Revision: 28

Sponsored by CISA.