SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   Symantec Anti Virus Vendors:   Symantec
Symantec Antivirus Corporate Edition Alert Management Service Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1024251
SecurityTracker URL:  http://securitytracker.com/id/1024251
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 27 2010
Impact:   Execution of arbitrary code via network, Root access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 10.1.8.8000 and prior versions
Description:   A vulnerability was reported in Symantec Antivirus Corporate Edition Alert Management Service. A remote user can execute arbitrary code on the target system.

A remote user can send specially crafted data to the Intel Alert Handler service (hndlrsvc.exe) on TCP port 38292 execute arbitrary commands on the target system. The code will run with the System privileges.

The remote user can set up an alert response to run an arbitrary command and then can remotely trigger the alert to cause the command to be executed.

Systems with Symantec System CenterConsole with the Alert Management Service plugin installed are also affected.

The vendor was notified on January 6, 2010.

SPIDER reported this vulnerability.

The original advisory is available at:

http://www.foofus.net/~spider/code/AMS2_072610.txt
Impact:   A remote user can execute arbitrary commands on the target system with System privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.symantec.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Mon, 26 Jul 2010 07:00:19 -0600
Subject:  Foofus.net Security Advisory: Symantec AMS Intel Alert Handler service Design Flaw

==================================================
Foofus.net Security Advisory: foofus-20100726
==================================================
Title:		Symantec Antivirus Corporate Edition AMS Intel Alert Handler

Version:	10.1.8.8000 and earlier

Vendor:		Symantec 

Release Date:	26.07.2010

Issue Status:	Reported To Vendor on 01/06/2010

==================================================



1. Summary:



Alert Management Service (AMS2) is a service used to setup, manage and report 

alerts within legacy Symantec Antivirus Corporate Edition products. 



==================================================


2. Description:



The Intel Alert Handler service (hndlrsvc.exe) provides alert setup and response 

capabilities to AMS2. A design error in Symantec's implementation of this function 

allows an attacker who can establish a TCP connection to port 38292, on a vulnerable

host to execute commands at system level on that host.



No special exploit code is needed to carry out this attack, by leveraging the AMS 

server console tool an attacker can setup an alert response to run a command on a

vulnerable system without authenticating. The AMS server console can also be used 

to remotely trigger the alert causing the command to execute at system level.





==================================================


3. Impact:



Exploiting this allows an adversary to execute code on a vulnerable system with out

authenticating



==================================================



4. Affected Products:



All version of Symantec SAVCE with AMS server installed, or Symantec System CenterConsole 

with AMS plugin installed are vulnerable to this exploit.



==================================================


5. Solution:



   a. Uninstall Symantec System Center. It is advised that any system vulnerable to 

      this exploit have all Symantec products uninstalled and reinstalled. Uninstalling

      the AMS plugin from an affected installation will not remove the vulnerability. 

   b. Uninstall AMS server

   c. Disable Alert Handler (hndlrsvc.exe)  service

   d. Also upgrade to the latest version of Symantec Endpoint Protection



==================================================


6) Time Table:



01/06/2010 Reported Vulnerability to Vendor. 

01/11/2010 Vendor acknowledged Receiving report 

01/12/2010 Vendor Tried to convince me that this was XFR.exe issue

07/26/2010 Publishes Advisory



==================================================



7) Credits: Discovered by SPIDER 



==================================================


8. Reference:



http://www.foofus.net/?page_id=149


==================================================
 

The Foofus.Net team is an assortment of security professionals located somewhere

in the Midwestern United States. http://www.foofus.net



==================================================


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC