Signature Detail

APP: Symantec Alert Management System HNDLRSVC Remote Command Execution

This signature detects attempts to exploit a known vulnerability in the Symantec Alert Management System (AMS2) service shipped with multiple Symantec products.. The AMS service starts an alert handler service, HNDLRSVC, that listens for commands from the AMS server, but does not perform proper authentication checks before executing such commands. Remote unauthenticated attackers can exploit this by sending a crafted packet to the target service and execute arbitrary programs with the SYSTEM privileges.

Extended Description

Symantec Antivirus Corporate Edition is prone to a remote privilege-escalation vulnerability. This issue affects the Alert Management Service. Attackers can exploit this issue to gain SYSTEM-level privileges on an affected computer. Symantec Antivirus Corporate Edition 10.1.8.8000 is vulnerable; other versions may also be affected.

Affected Products

• Symantec AntiVirus Corporate Edition 10.0.0
• Symantec AntiVirus Corporate Edition 10.0.0.359
• Symantec AntiVirus Corporate Edition 10.0.1.1000
• Symantec AntiVirus Corporate Edition 10.0.1.1001 (MR1-PP1)
• Symantec AntiVirus Corporate Edition 10.0.1.1003 (MR1-PP2)
• Symantec AntiVirus Corporate Edition 10.0.1.1007
• Symantec AntiVirus Corporate Edition 10.0.1.1008
• Symantec AntiVirus Corporate Edition 10.0.1.1009 (MR1-PP9)
• Symantec AntiVirus Corporate Edition 10.0.2.2000
• Symantec AntiVirus Corporate Edition 10.0.2 .2001
• Symantec AntiVirus Corporate Edition 10.0.2.2002
• Symantec AntiVirus Corporate Edition 10.0.2.2010
• Symantec AntiVirus Corporate Edition 10.0.2.2011
• Symantec AntiVirus Corporate Edition 10.0.2.2020
• Symantec AntiVirus Corporate Edition 10.0.2.2021
• Symantec AntiVirus Corporate Edition 10.1
• Symantec AntiVirus Corporate Edition 10.1.0.394
• Symantec AntiVirus Corporate Edition 10.1.0.396
• Symantec AntiVirus Corporate Edition 10.1.0.400
• Symantec AntiVirus Corporate Edition 10.1.0.401
• Symantec AntiVirus Corporate Edition 10.1.4
• Symantec AntiVirus Corporate Edition 10.1.4.4000 (MR4)
• Symantec AntiVirus Corporate Edition 10.1.4.4010
• Symantec AntiVirus Corporate Edition 10.1.4 MR4 MP1 - build 4010
• Symantec AntiVirus Corporate Edition 10.1.5.5000 (MR5)
• Symantec AntiVirus Corporate Edition 10.1.5.5001 (MR5-PP1)
• Symantec AntiVirus Corporate Edition 10.1.5.5010 (MR5-MP1)
• Symantec AntiVirus Corporate Edition 10.1.6.600
• Symantec AntiVirus Corporate Edition 10.1.6.6000
• Symantec AntiVirus Corporate Edition 10.1.6.6010 (MR6-MP1)
• Symantec AntiVirus Corporate Edition 10.1.7.7000 (MR7)
• Symantec AntiVirus Corporate Edition 10.1.8.8000
• Symantec AntiVirus Corporate Edition 10.1 MR6
• Symantec AntiVirus Corporate Edition 10.1 MR6 MP1
• Symantec AntiVirus Corporate Edition 10.1 MR7
• Symantec AntiVirus Corporate Edition 10.1 MR8
• Symantec AntiVirus Corporate Edition 10.1 MR9
• Symantec AntiVirus Corporate Edition 8.0.0
• Symantec AntiVirus Corporate Edition 8.0.0 1
• Symantec AntiVirus Corporate Edition 8.0.0 1.425a/b
• Symantec AntiVirus Corporate Edition 8.0.0 1.429c
• Symantec AntiVirus Corporate Edition 8.0.0 1.501
• Symantec AntiVirus Corporate Edition 8.0.0 1.9374
• Symantec AntiVirus Corporate Edition 8.0.0 1.9378
• Symantec AntiVirus Corporate Edition 8.1.0
• Symantec AntiVirus Corporate Edition 8.1.0 .0.825a
• Symantec AntiVirus Corporate Edition 8.1.0 build 8.01.434
• Symantec AntiVirus Corporate Edition 8.1.0 build 8.01.437
• Symantec AntiVirus Corporate Edition 8.1.0 build 8.01.446
• Symantec AntiVirus Corporate Edition 8.1.0 build 8.01.457
• Symantec AntiVirus Corporate Edition 8.1.0 build 8.01.460
• Symantec AntiVirus Corporate Edition 8.1.0 build 8.01.464
• Symantec AntiVirus Corporate Edition 8.1.0 build 8.01.471
• Symantec AntiVirus Corporate Edition 8.1.1
• Symantec AntiVirus Corporate Edition 8.1.1 .366
• Symantec AntiVirus Corporate Edition 8.1.1 .377
• Symantec AntiVirus Corporate Edition 8.1.1 Build 393
• Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.314a
• Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.319
• Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.323
• Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.329
• Symantec AntiVirus Corporate Edition 8.1.1 MR9
• Symantec AntiVirus Corporate Edition 9.0.0
• Symantec AntiVirus Corporate Edition 9.0.0 .0.338
• Symantec AntiVirus Corporate Edition 9.0.0.1300 (STM-PP1)
• Symantec AntiVirus Corporate Edition 9.0.0.1400 (STM-PP2)
• Symantec AntiVirus Corporate Edition 9.0.1.1000 (MR1)
• Symantec AntiVirus Corporate Edition 9.0.1.1001 (MR1-PP1)
• Symantec AntiVirus Corporate Edition 9.0.1 .1.1000
• Symantec AntiVirus Corporate Edition 9.0.1.1100 (MR1-MP1)
• Symantec AntiVirus Corporate Edition 9.0.2 .1000
• Symantec AntiVirus Corporate Edition 9.0.3 .1000
• Symantec AntiVirus Corporate Edition 9.0.3.1100 (MR3-MP1)
• Symantec AntiVirus Corporate Edition 9.0.4
• Symantec AntiVirus Corporate Edition 9.0.4 MR4 build 1000
• Symantec AntiVirus Corporate Edition 9.0.5
• Symantec AntiVirus Corporate Edition 9.0.5.1000 (MR5)
• Symantec AntiVirus Corporate Edition 9.0.5.1001 (MR5-PP1)
• Symantec AntiVirus Corporate Edition 9.0.5.1100
• Symantec AntiVirus Corporate Edition 9.0.6.1000
• Symantec AntiVirus Corporate Edition 9.0.6.1000 (MR6)
• Symantec AntiVirus Corporate Edition 9.0.6 MR6 MP1 - build 1100
• Symantec AntiVirus Corporate Edition 9.0 MR7
• Symantec AntiVirus Corporate Edition 9 MR6 MP1

References

• BugTraq: 41959
• URL: http://seclists.org/fulldisclosure/2010/Jul/364