Symantec Alert Management System Intel Alert Handler command execution

Added: 08/20/2010
BID: 41959
OSVDB: 66807

Background

The Symantec Alert Management System 2 (AMS2) is used by multiple Symantec products. It includes an Intel Alert Handler service (hndlrsvc.exe). This service handles messages forwarded to it by the Alert Originator Manager, which listens on port 38292/TCP.

Problem

A design flaw in the Intel Alert Handler service allows remote, unauthenticated attackers to execute arbitrary commands by sending a "Run Program" command to the Alert Originator Manager.

Resolution

Apply an update when available. If an update is not available, disable the Alert Handler service.

References

http://www.securityfocus.com/archive/1/512635

Limitations

Exploit works on Symantec System Center 10.1.8.8000. The specified share must be accessible by the target.

Before the exploit can succeed, exploit.exe must be placed on the specified share. Use the Download Connection or E-mail Attachment Execution exploit tool to obtain exploit.exe, using the same shell port as used with this exploit. Due to this requirement, this exploit must be run individually and is not included during an automated penetration test.

Platforms

Windows

Back to exploit index