Signature Detail

APP: Symantec Alert Management System AMSSendAlertAck Stack Buffer Overflow

This signature detects attempts to exploit a known vulnerability in Symantec Intel Alert Management System. It is caused by code which copies a user supplied string into a stack buffer without proper bound checks. A remote unauthenticated attacker can exploit this by sending a specially crafted packet to the affected service. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the SYSTEM context.

Extended Description

Symantec Intel Alert Management System (AMS2) is prone to multiple remote buffer-overflow vulnerabilities. AMS2 is used in multiple Symantec products including Symantec AntiVirus Corporate Edition Server (SAVCE), Symantec System Center (SSC), and Symantec Quarantine Server. Attackers can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

Affected Products

• Symantec AntiVirus 10
• Symantec AntiVirus Corporate Edition 10.0.0
• Symantec AntiVirus Corporate Edition 10.0.0.359
• Symantec AntiVirus Corporate Edition 10.0.1.1000
• Symantec AntiVirus Corporate Edition 10.0.1.1001 (MR1-PP1)
• Symantec AntiVirus Corporate Edition 10.0.1.1003 (MR1-PP2)
• Symantec AntiVirus Corporate Edition 10.0.1.1007
• Symantec AntiVirus Corporate Edition 10.0.1.1008
• Symantec AntiVirus Corporate Edition 10.0.1.1009 (MR1-PP9)
• Symantec AntiVirus Corporate Edition 10.0.2.2000
• Symantec AntiVirus Corporate Edition 10.0.2 .2001
• Symantec AntiVirus Corporate Edition 10.0.2.2002
• Symantec AntiVirus Corporate Edition 10.0.2.2010
• Symantec AntiVirus Corporate Edition 10.0.2.2011
• Symantec AntiVirus Corporate Edition 10.0.2.2020
• Symantec AntiVirus Corporate Edition 10.0.2.2021
• Symantec AntiVirus Corporate Edition 10.1
• Symantec AntiVirus Corporate Edition 10.1.0.394
• Symantec AntiVirus Corporate Edition 10.1.0.396
• Symantec AntiVirus Corporate Edition 10.1.0.400
• Symantec AntiVirus Corporate Edition 10.1.0.401
• Symantec AntiVirus Corporate Edition 10.1.4
• Symantec AntiVirus Corporate Edition 10.1.4.4000 (MR4)
• Symantec AntiVirus Corporate Edition 10.1.4.4010
• Symantec AntiVirus Corporate Edition 10.1.4 MR4 MP1 - build 4010
• Symantec AntiVirus Corporate Edition 10.1.5.5000 (MR5)
• Symantec AntiVirus Corporate Edition 10.1.5.5001 (MR5-PP1)
• Symantec AntiVirus Corporate Edition 10.1.5.5010 (MR5-MP1)
• Symantec AntiVirus Corporate Edition 10.1.6.600
• Symantec AntiVirus Corporate Edition 10.1.6.6000
• Symantec AntiVirus Corporate Edition 10.1.6.6010 (MR6-MP1)
• Symantec AntiVirus Corporate Edition 10.1.7.7000 (MR7)
• Symantec AntiVirus Corporate Edition 10.1.8.8000
• Symantec AntiVirus Corporate Edition 10.1 MR6
• Symantec AntiVirus Corporate Edition 10.1 MR6 MP1
• Symantec AntiVirus Corporate Edition 10.1 MR7
• Symantec AntiVirus Corporate Edition 10.1 MR8
• Symantec AntiVirus Corporate Edition 10.1 MR9
• Symantec Quarantine Server 3.5
• Symantec Quarantine Server 3.6
• Symantec System Center

References

• BugTraq: 45936
• CVE: CVE-2010-0110