Bugtraqmailing list archives

By Date

By Thread

iDefense Security Advisory 04.29.09: Symantec System Center Alert Management System Console Arbitrary Program Execution Design Error Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1iDefense Security Advisory 04.28.09http://labs.idefense.com/intelligence/vulnerabilities/Apr 28, 2009I. BACKGROUNDSymantec System Center is an MMC (Microsoft Management Console) snap-inthat allows an administrator to remotely manage Symantec products. TheSymantec System Center comes bundled with several Symantec products,including Symantec Client Security and Symantec AntiVirus. It containsan optional component called the Alert Management System Console. Thiscomponent starts a service (Intel File Transfer) that listens on TCPport 12174.II. DESCRIPTIONRemote exploitation of a design error vulnerability in Symantec Corp.'sSymantec System Center may allow an attacker to execute arbitrary codewith SYSTEM privileges.The vulnerability exists within the 'Intel File Transfer' service, whichruns the xfr.exe application. When sent a properly formatted request,this service will extract a string from the request, and use it as thepath of a program to execute as a new Process. The process will bestarted with SYSTEM privileges.III. ANALYSISExploitation of this vulnerability allows an attacker to executearbitrary code with SYSTEM privileges. In order to exploit thisvulnerability, an attacker must be able to establish a TCP session onport 12174 with the vulnerable host.The vulnerable service is actually part of LANDesk Management Suite. Itis not clear whether the behavior described is part of the intendedfunctionality of the program. However, the manner in which the serviceis being used by the Symantec System Center is unsafe.In a default client type installation, the Symantec System Center is notinstalled. The System Center would normally be found on the networkadministrator's system. In addition, the Alert Management SystemConsole is not a default option in the installation of the SystemCenter.IV. DETECTIONiDefense has confirmed the existence of this vulnerability in SymantecClient Security version 3.1. Previous versions may also be affected.Symantec has confirmed the existence of this vulnerability in thefollowing products:Symantec AntiVirus Corporate Edition Version 9.0 MR6 and earlierSymantec AntiVirus Corporate Edition Version 10.0 all versionsSymantec AntiVirus Corporate Edition Version 10.1 MR7 and earlierSymantec AntiVirus Corporate Edition Version 10.2 MR1 and earlierSymantec Client Security Version 2.0 MR6 and earlierSymantec Client Security Version 3.0 all versionsSymantec Client Security Version 3.1 MR7 and earlierSymantec Endpoint Protection Version 11.0 MR2 and earlierV. WORKAROUNDThe 'Intel File Transfer' service (which launches xfr.exe) can bedisabled via the Service Manager. However, this may impair theoperation of the Alert Management Service (AMS).Symantec recommends users of the AMS switch to 'Reporting' to managealerts in their environments, and disable or uninstall AMS as atemporary mitigation.VI. VENDOR RESPONSESymantec has released a patch which addresses this issue. For moreinformation, consult their advisory at the following URL:http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090428_02VII. CVE INFORMATIONThe Common Vulnerabilities and Exposures (CVE) project has assigned thename CVE-2009-1431 to this issue. This is a candidate for inclusion inthe CVE list (http://cve.mitre.org/), which standardizes names forsecurity problems.VIII. DISCLOSURE TIMELINE10/09/2007  - Initial Contact10/09/2007  - Initial Vendor Response08/27/2008  - Vendor Status Update12/11/2008  - Requested Status Update12/11/2008  - Vendor Status Update04/14/2009  - Requested CVE04/14/2009  - Requested Status Update04/15/2009  - Vendor Status Update04/28/2009  - Coordinated Public DisclosureIX. CREDITThe discoverer of this vulnerability wishes to remain anonymous.Get paid for vulnerability researchhttp://labs.idefense.com/methodology/vulnerability/vcp.phpFree tools, research and upcoming eventshttp://labs.idefense.com/X. LEGAL NOTICESCopyright © 2009 iDefense, Inc.Permission is granted for the redistribution of this alertelectronically. It may not be edited in any way without the expresswritten consent of iDefense. If you wish to reprint the whole or anypart of this alert in any other medium other than electronically,please e-mail customerservice () idefense com for permission.Disclaimer: The information in the advisory is believed to be accurateat the time of publishing based on currently available information. Useof the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither theauthor nor the publisher accepts any liability for any direct,indirect, or consequential loss or damage arising from use of, orreliance on, this information.-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.4.7 (MingW32)Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.orgiD8DBQFJ+IGjbjs6HoxIfBkRAvcOAJ0RTXsiFdCS99wP6eCPIhnFn745HwCfU4m2YcW8RzpL/4bcgDrjg1Lz3K8==6lcO-----END PGP SIGNATURE-----

By Date

By Thread

Current thread:

• iDefense Security Advisory 04.29.09: Symantec System Center Alert Management System Console Arbitrary Program Execution Design Error VulnerabilityiDefense Labs (Apr 29)