lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 26 Jul 2010 07:59:18 -0500 (CDT)
From: spider <spider@...mp.foofus.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Foofus.net Security Advisory: Symantec AMS Intel
	Alert Handler service Design Flaw

==================================================
Foofus.net Security Advisory: foofus-20100725
==================================================
Title:		Symantec Antivirus Corporate Edition AMS Intel Alert Handler
Version:	10.1.8.8000 and earlier
Vendor:		Symantec 
Release Date:	26.07.2010
Issue Status:	Reported To Vendor on 01/06/2010

==================================================
1. Summary:

Alert Management Service (AMS2) is a service used to setup, manage and report 
alerts within legacy Symantec Antivirus Corporate Edition products. 

==================================================
2. Description:

The Intel Alert Handler service (hndlrsvc.exe) provides alert setup and response 
capabilities to AMS2. A design error in Symantec's implementation of this function 
allows an attacker who can establish a TCP connection to port 38292, on a vulnerable
host to execute commands at system level on that host.

No special exploit code is needed to carry out this attack, by leveraging the AMS 
server console tool an attacker can setup an alert response to run a command on a
vulnerable system without authenticating. The AMS server console can also be used 
to remotely trigger the alert causing the command to execute at system level.

==================================================
3. Impact:

Exploiting this allows an adversary to execute code on a vulnerable system with out
authenticating

==================================================
4. Affected Products:

All version of Symantec SAVCE with AMS server installed, or Symantec System CenterConsole 
with AMS plugin installed are vulnerable to this exploit.

==================================================
5. Solution:

   a. Uninstall Symantec System Center. It is advised that any system vulnerable to 
      this exploit have all Symantec products uninstalled and reinstalled. Uninstalling
      the AMS plugin from an affected installation will not remove the vulnerability. 
   b. Uninstall AMS server
   c. Disable Alert Handler (hndlrsvc.exe)  service
   d. Also upgrade to the latest version of Symantec Endpoint Protection

==================================================
6) Time Table:

01/06/2010 Reported Vulnerability to Vendor. 
01/11/2010 Vendor acknowledged Receiving report 
01/12/2010 Vendor Tried to convince me that this was XFR.exe issue
07/26/2010 Publishes Advisory

==================================================
7) Credits: Discovered by SPIDER 

==================================================
8. Reference:

http://www.foofus.net/?page_id=149

==================================================
 
The Foofus.Net team is an assortment of security professionals located somewhere
in the Midwestern United States. http://www.foofus.net

================================================== 








_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ