Symantec AMS2 Package Buffer Overflow (May 01, 2009)


Symantec Products Alert management System 2 (AMS2) is a package included by various Symantec Solutions such as System Centre, AntiVirus Server, and AntiVirus Central Quarantine Server. AMS2 contains a component named Intel Alert Originator (IAO) Service, which is run under System account by default.

IAO Service is using a proprietary protocol to exchange messages with other modules. One of the messages is called BIND message. It has the following format:

 Offset Size Description ----------- ---------- ----------------------------------------- 0000   8    filled with "0xFF" 0008   6    unknown, seems always contain 0x00 0x00 0x02 0x00 0x95 0x94 000E   4    IPv4 address of client 0012   8    filled with "0x00" 001A   4    message size covering header (N) 001E   19   unknown 0031   1    Bind Type (Save=0x02 Remove=0x03) 0032   8    unknown 003A   4    Bind Identifier ("BIND") 003E   17   unknown 004F   5    Bind Identifier2 ("BINDx00") 0054   N    Bind Parameters (N-84) 

There is a stack-based buffer overflow vulnerability in IAO Service of AMS2. The vulnerability is due to a boundary error in the IAO service when processing crafted “Bind Remove” messages. Specifically, the vulnerable code copies message parameters into a stack-based buffer without verifying the size of the “Bind Remove” message. Thus, an overly long string can overwrite critical stack data including function return addresses and SEH handler structure. By exploiting this vulnerability, an attacker can successfully inject and execute arbitrary code within the security context of the service, which is System by default.

SonicWALL has released an IPS signature that will detect and block a generic attack attempt addressing this issue. The following IPS signature has been released today:

  • 1440 Symantec Alert Management System BO Attempt

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-1430.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.