Symantec VRTSweb Code Execution (Jan 08, 2010)


Symantec VERITAS Web Server (VRTSweb) is a shared component shipped with multiple Symantec products. VRTSweb provides the container that executes the Symantec web application. VRTSweb is developed using Java and a WAR file is used to distribute a Web application.

VRTSweb listens on TCP port 14300 to process administrative requests. Requests to this port are encoded as XML documents with “Command” as the root node. All requests are of the form:

The task is specified within the “command” attribute of the root node and the attributes depend on the command. Command authentication is performed using the “authFile” attribute. A client authenticates a request by specifying a file that resides in the VRTSweb runtime directory. A client who has knowledge of the VRTSweb runtime directory is able to authenticate himself. One of the supported commands, startWebApp, requires the following attributes: “command”, “authFile”, “appName”, and “installDir”. A startWebApp request looks like:

which requests VRTSweb to unpack and start the web application located at “c:test.war”.

A design weakness exists in Symantec VERITAS Web Server. The vulnerability is due to insufficient authentication when processing administration requests sent to TCP port 14300. Since the VRTSweb runtime directory contains a number of known files, when a startWebApp command is sent to the target system, authentication can easily be bypassed. The “.heartbeat” file is particularly useful for attacks as it is recreated periodically. A remote attacker can craft a startWebApp request that bypasses authentication to unpack and start a web application on a target system. The web application will run with the privileges of VRTSweb.

The vulnerability has been assigned as CVE-2009-3027.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 4699 Symantec VRTSweb Code Execution Attempt
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.