Vulnerabilities > CVE-2009-1431 - Unspecified vulnerability in Symantec products

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
symantec
critical

Summary

XFR.EXE in the Intel File Transfer service in the console in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central Quarantine Server; Symantec AntiVirus (SAV) Corporate Edition 9 before 9.0 MR7, 10.0 and 10.1 before 10.1 MR8, and 10.2 before 10.2 MR2; Symantec Client Security (SCS) 2 before 2.0 MR7 and 3 before 3.1 MR8; and Symantec Endpoint Protection (SEP) before 11.0 MR3, allows remote attackers to execute arbitrary code by placing the code on a (1) share or (2) WebDAV server, and then sending the UNC share pathname to this service. Per vendor: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090428_02 "Symantec System Center Impact Symantec System Center (SSS) is a Microsoft Management Console (MMC) plug-in which allows an administrator to manage all Symantec AntiVirus platforms from a single, centralized location. Alert Management System 2 (AMS2) is an alerting feature of System Center that listens for specific events and sends notifications as specified by the administrator. AMS2 is installed by default with Symantec System Center 9.0. AMS2 is an optional component in Symantec System Center 10.0 or 10.1. These vulnerabilities will only impact systems if AMS has been installed. Symantec AntiVirus Server Impact AMS2 is installed by default with Symantec AntiVirus Server 9.0. AMS2 is an optional component in Symantec AntiVirus Server 10.0 or 10.1. These vulnerabilities will only impact systems if AMS has been installed. Symantec AntiVirus and Symantec Endpoint Protection Central Quarantine Server Impact AMS2 is installed by default by Central Quarantine Server. These vulnerabilities will only impact systems if Quarantine Server has been installed. Symantec is not aware of any customers impacted by these issues, or of any attempts to exploit them. However, we recommend that any affected customers update their product immediately to protect against potential attempts to exploit these issues. Certain localized language versions of SCS 2.0/SAV 9.x were not patched due to compatibility issues on the localized platforms. As a result, customers who are running the following versions are strongly recommended to update to a non-vulnerable SCS 2.0/SAV 9 International English version or upgrade to a non-vulnerable version of SEP 11.x: Symantec Client Security 2.0/Symantec AntiVirus Corporate Edition 9.x (Chinese Simplified and Chinese Traditional) Symantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Chinese Simplified and Chinese Traditional) Symantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Korean) Symantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Japanese licensed)"

Vulnerable Configurations

Part Description Count
Application
Symantec
94

Saint

bid34675
descriptionSymantec Alert Management System Intel File Transfer service command execution
idmisc_av_symantec_alertxfr
osvdb54160
titlesymantec_ams_intel_file_transfer
typeremote

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 34675 CVE(CAN) ID: CVE-2009-1431 Symantec AntiVirus是非常流行的杀毒解决方案。 Symantec杀毒软件产品中捆绑有Symantec System Center以便管理员远程管理Symantec产品。Symantec System Center包含有一个名为警告管理系统控制台的可选组件,该组件会在TCP 12174端口上启动Intel File Transfer服务(XFR.EXE)。如果远程攻击者向XFR.EXE服务发送了特制请求的话,服务会从请求中获取字符串并用作所要执行新进程的路径。 攻击者可以创建到有漏洞主机的TCP会话,之后在文件共享或WebDav服务器上放置任意代码。向XFR.EXE服务发送UNC路径就会导致在用户机器上执行这些代码。 Symantec Client Security 3.1 Symantec Client Security 3.0 Symantec Client Security 2.0 Symantec AntiVirus Corporate Edition 9.0 Symantec AntiVirus Corporate Edition 10.2 Symantec AntiVirus Corporate Edition 10.1 Symantec AntiVirus Corporate Edition 10.0 Symantec Endpoint Protection 11.0 临时解决方法: * 切换到Reporting管理警告,并禁用或卸载警告管理服务(AMS)。 厂商补丁: Symantec -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.symantec.com/ target=_blank rel=external nofollow>http://www.symantec.com/</a>
idSSV:11166
last seen2017-11-19
modified2009-05-01
published2009-05-01
reporterRoot
titleSymantec杀毒软件Intel File Transfer服务任意代码执行漏洞