Symantec AMS2 Remote Command Execution (Aug 5, 2010)
Symantec Alert Management System 2 (AMS2) is a component of the Symantec System Center console, Symantec AntiVirus Server, and of the Symantec AntiVirus Central Quarantine Server. AMS2 listens for specific security related events on a computer network, and sends notifications as specified by the administrator. The AMS2 starts multiple services on the system, including Message System Service (MSGSYS.EXE) and AMS2 Handler Manager Service (HNDLRSVC.EXE). The MSGSYS.EXE service on clients listens on TCP port 38292; it gets messages from the AMS server for different alert actions and forwards them to the HNDLRSVC.EXE service to perform the required action.
A design weakness exists in Symantec AMS2. Specifically, the vulnerable service does not perform any authentication mechanism to verify the sender of the alert actions. An unauthenticated remote attacker can exploit this vulnerability by sending a crafted packet to the MSGSYS.EXE service. Successful exploitation of this vulnerability would allow the attacker to execute arbitrary command with SYSTEM privileges. SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:- 4815 Symantec AMS Intel Alert Handler Command Execution
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
