{"id":149,"date":"2010-07-22T15:37:41","date_gmt":"2010-07-22T21:37:41","guid":{"rendered":"http:\/\/www.foofus.net\/?page_id=149"},"modified":"2010-07-22T15:37:41","modified_gmt":"2010-07-22T21:37:41","slug":"advisories","status":"publish","type":"page","link":"http:\/\/h.foofus.net\/?page_id=149","title":{"rendered":"Symantec AMS Intel Alert Handler Design Flaw"},"content":{"rendered":"<p>============================================================================<br \/>\nFoofus.net Security Advisory: foofus-20100726<br \/>\n============================================================================<br \/>\nTitle:\t\tSymantec Antivirus Corporate Edition AMS Intel Alert Handler<br \/>\nVersion:\t10.1.8.8000 and earlier<br \/>\nVendor:\t\tSymantec<br \/>\nRelease Date:\t26.07.2010<br \/>\nIssue Status:\tReported To Vendor on 01\/06\/2010<br \/>\n============================================================================<\/p>\n<p>1. Summary:<\/p>\n<p>Alert Management Service (AMS2) is a service used to setup, manage and report<br \/>\nalerts within legacy Symantec Antivirus Corporate Edition products. <\/p>\n<p>============================================================================<\/p>\n<p>2. Description:<\/p>\n<p>The Intel Alert Handler service (hndlrsvc.exe) provides alert setup and response<br \/>\ncapabilities to AMS2. A design error in Symantec&#8217;s implementation of this function<br \/>\nallows an attacker who can establish a TCP connection to port 38292, on a vulnerable<br \/>\nhost to execute commands at system level on that host.<\/p>\n<p>No special exploit code is needed to carry out this attack, by leveraging the AMS<br \/>\nserver console tool an attacker can setup an alert response to run a command on a<br \/>\nvulnerable system without authenticating. The AMS server console can also be used<br \/>\nto remotely trigger the alert causing the command to execute at system level.<\/p>\n<p>============================================================================<\/p>\n<p>3. Impact:<\/p>\n<p>Exploiting this allows an adversary to execute code on a vulnerable system with out<br \/>\nauthenticating<\/p>\n<p>============================================================================<\/p>\n<p>4. Affected Products:<\/p>\n<p>All version of Symantec SAVCE with AMS server installed, or Symantec System Center<br \/>\nConsole with AMS plugin installed are vulnerable to this exploit.<\/p>\n<p>============================================================================<\/p>\n<p>5. Solution:<\/p>\n<p>   a. Uninstall Symantec System Center. It is advised that any system vulnerable to<br \/>\n      this exploit have all Symantec products uninstalled and reinstalled. Uninstalling<br \/>\n      the AMS plugin from an affected installation will not remove the vulnerability.<br \/>\n   b. Uninstall AMS server<br \/>\n   c. Disable Alert Handler (hndlrsvc.exe)  service<br \/>\n   d. Also upgrade to the latest version of Symantec Endpoint Protection<\/p>\n<p>============================================================================<\/p>\n<p>6) Time Table:<\/p>\n<p>01\/06\/2010 Reported Vulnerability to Vendor.<br \/>\n01\/11\/2010 Vendor acknowledged Receiving report<br \/>\n01\/12\/2010 Vendor Tried to convince me that this was AFR.exe issue<br \/>\n07\/26\/2010 Publishes Advisory<\/p>\n<p>============================================================================<\/p>\n<p>7) Credits: Discovered by SPIDER <\/p>\n<p>============================================================================<\/p>\n<p>8. Reference:<\/p>\n<p>http:\/\/www.foofus.net\/?page_id=149<\/p>\n<p>============================================================================<\/p>\n<p>The Foofus.Net team is an assortment of security professionals located somewhere<br \/>\nin the Midwestern United States. http:\/\/www.foofus.net<\/p>\n<p>============================================================================<\/p>\n","protected":false},"excerpt":{"rendered":"<p>============================================================================ Foofus.net Security Advisory: foofus-20100726 ============================================================================ Title: Symantec Antivirus Corporate Edition AMS Intel Alert Handler Version: 10.1.8.8000 and earlier Vendor: Symantec Release Date: 26.07.2010 Issue Status: Reported To Vendor on 01\/06\/2010 ============================================================================ 1. Summary: Alert Management Service (AMS2) is a service used to setup, manage and report alerts within legacy Symantec Antivirus Corporate Edition products. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":273,"menu_order":5,"comment_status":"open","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-149","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"http:\/\/h.foofus.net\/index.php?rest_route=\/wp\/v2\/pages\/149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/h.foofus.net\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"http:\/\/h.foofus.net\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"http:\/\/h.foofus.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/h.foofus.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=149"}],"version-history":[{"count":0,"href":"http:\/\/h.foofus.net\/index.php?rest_route=\/wp\/v2\/pages\/149\/revisions"}],"up":[{"embeddable":true,"href":"http:\/\/h.foofus.net\/index.php?rest_route=\/wp\/v2\/pages\/273"}],"wp:attachment":[{"href":"http:\/\/h.foofus.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}