[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    TELUS Security Labs VR - Symantec Alert Management System
From:       noreply () telus ! com
Date:       2011-01-28 19:25:00
Message-ID: 201101281925.p0SJP0AH009877 () www3 ! securityfocus ! com
[Download RAW message or body]

Symantec Alert Management System HNDLRSVC Arbitrary Command Execution

TSL ID: FSC20100727-01

1. Affected Software

     Symantec Antivirus Corporate Edition 10.1.8.8000 and possibly prior
     Symantec System Center 10.1.8.8000 and possibly prior

Reference: http://www.symantec.com/business/antivirus-corporate-edition

2. Vulnerability Summary

An arbitrary program execution vulnerability exists in Symantec Alert Management \
System (AMS) service shipped with multiple Symantec products. The vulnerability could \
be exploited by remote unauthenticated attackers to execute arbitrary code with \
SYSTEM privileges.

3. Vulnerability Analysis

The Alert Management System (AMS) component of Symantec Antivirus Corporate Edition \
installs an alert handler service, HNDLRSVC, that listens for commands from the AMS \
server. This service does not perform proper authentication checks before executing \
such commands. Remote unauthenticated attackers could exploit this vulnerability by \
sending a crafted packet via the MSGSYS.EXE service on port 38292/TCP. The Run \
Program command would allow executing arbitrary programs from a remote SMB share with \
SYSTEM privileges on the vulnerable system.


4. Vulnerability Detection

TELUS Security Labs has confirmed the vulnerability in:

     Symantec Antivirus Corporate Edition 10.1.8.8000
     Symantec System Center 10.1.8.8000

5. Workaround

Disable the AMS service, or update to the non-vulnerable version of Symantec \
Antivirus 11.x series which does not include the vulnerable AMS component.

6. Vendor Response

Patches have been made available by the vendor to eliminate this vulnerability:

http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_00


7. Disclosure Timeline

  2009-07-31 Reported to the vendor
  2009-08-03 Vendor response
  2011-01-26 Coordinated public disclosure

8. Credits

Junaid Bohio of Vulnerability Research Team, TELUS Security Labs

9. References

  CVE: CVE-2010-0110

  Vendor: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_00


  http://telussecuritylabs.com/threats/show/FSC20100727-01

10. About TELUS Security Labs

TELUS Security Labs, formerly Assurent Secure Technologies is the leading provider of \
security research. Our research services include:

    * Vulnerability Research
    * Malware Research
    * Signature Development
    * Shellcode Exploit Development
    * Application Protocols
    * Product Security Testing
    * Security Content Development (parsers, reports, alerts)

TELUS Security Labs provides a specialized portfolio of services to assist security \
product vendors with newly discovered commercial product vulnerabilities and malware \
attacks. Many of our services are provided on a subscription basis to reduce research \
costs for our customers. Over 50 of the world's leading security product vendors rely \
on TELUS Security Labs research.

http://telussecuritylabs.com


[prev in list] [next in list] [prev in thread] [next in thread]