Vulnerabilities > CVE-2010-0110 - Buffer Errors vulnerability in Symantec products

CVSS 7.9 - HIGH

Attack vector

ADJACENT_NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

symantec

CWE-119

nessus

NVD

Published: 2011-01-31

Updated: 2017-08-17

Summary

Multiple stack-based buffer overflows in Intel Alert Management System (aka AMS or AMS2), as used in Symantec AntiVirus Corporate Edition (SAVCE) 10.x before 10.1 MR10, Symantec System Center (SSC) 10.x, and Symantec Quarantine Server 3.5 and 3.6, allow remote attackers to execute arbitrary code via (1) a long string to msgsys.exe, related to the AMSSendAlertAct function in AMSLIB.dll in the Intel Alert Handler service (aka Symantec Intel Handler service); a long (2) modem string or (3) PIN number to msgsys.exe, related to pagehndl.dll in the Intel Alert Handler service; or (4) a message to msgsys.exe, related to iao.exe in the Intel Alert Originator service.

Vulnerable Configurations

Part	Description	Count
Application	Symantec Symantec Antivirus 10.0 Symantec Antivirus 10.0.1 Symantec Antivirus 10.0.1.1 Symantec Antivirus 10.0.1.2 Symantec Antivirus 10.0.2 Symantec Antivirus 10.0.2.1 Symantec Antivirus 10.0.2.2 Symantec Antivirus 10.0.3 Symantec Antivirus 10.0.4 Symantec Antivirus 10.0.5 Symantec Antivirus 10.0.6 Symantec Antivirus 10.0.7 Symantec Antivirus 10.0.8 Symantec Antivirus 10.0.9 Symantec Antivirus 10.1 Symantec Antivirus 10.1.0.1 Symantec Antivirus 10.1.4 Symantec Antivirus 10.1.4.1 Symantec Antivirus 10.1.5 Symantec Antivirus 10.1.5.1 Symantec Antivirus 10.1.6 Symantec Antivirus 10.1.6.1 Symantec Antivirus 10.1.7 Symantec Antivirus 10.1.8 Symantec Antivirus 10.1.9 Symantec Antivirus 10.2 Symantec System Center 10.0 Symantec System Center 10.1 Symantec Antivirus Central Quarantine Server 3.5 Symantec Antivirus Central Quarantine Server 3.6	39

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

NASL family	Windows
NASL id	SYMANTEC_AMS2_SYM11-002.NASL
description	Alert Management System 2 (AMS2), an optional component included with multiple Symantec products, is installed on the remote host. Versions before build 156 are affected by multiple stack-based buffer overflow vulnerabilities. A remote attacker could exploit these issues to crash the service or to execute arbitrary code as SYSTEM.
last seen	2020-06-01
modified	2020-06-02
plugin id	51813
published	2011-01-28
reporter	This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/51813
title	Symantec Alert Management System 2 Multiple Vulnerabilities (SYM11-002, SYM11-003)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(51813); script_version("1.27"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2010-0110", "CVE-2010-0111", "CVE-2010-3268", "CVE-2011-0688"); script_bugtraq_id(41959, 45935, 45936); script_xref(name:"EDB-ID", value:"17700"); script_xref(name:"IAVA", value:"2011-A-0011"); script_xref(name:"Secunia", value:"43099"); script_name(english:"Symantec Alert Management System 2 Multiple Vulnerabilities (SYM11-002, SYM11-003)"); script_summary(english:"Checks version number of iao.exe"); script_set_attribute( attribute:"synopsis", value: "The remote Windows host has a service that is affected by multiple remote buffer overflow vulnerabilities." ); script_set_attribute( attribute:"description", value: "Alert Management System 2 (AMS2), an optional component included with multiple Symantec products, is installed on the remote host. Versions before build 156 are affected by multiple stack-based buffer overflow vulnerabilities. A remote attacker could exploit these issues to crash the service or to execute arbitrary code as SYSTEM." ); script_set_attribute( attribute:"see_also", value:"http://web.archive.org/web/20160305233709/http://telussecuritylabs.com/threats/show/fsc20100727-01" ); script_set_attribute( attribute:"see_also", value:"http://telussecuritylabs.com/threats/show/FSC20101213-06" ); script_set_attribute( attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-11-028/" ); script_set_attribute( attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-11-029/" ); script_set_attribute( attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-11-030/" ); script_set_attribute( attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-11-031/" ); script_set_attribute( attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-11-032/" ); # https://www.secureauth.com/labs/advisories/symantec-intel-handler-service-remote-dos" script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3ccc88b8" ); script_set_attribute( attribute:"see_also", value:"https://seclists.org/fulldisclosure/2010/Dec/261" ); # http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20110126_00 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?47017164" ); # http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20110126_01 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?2281a594" ); script_set_attribute( attribute:"solution", value: "Apply the relevant upgrade referenced in the Symantec advisory or disable AMS2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'White_Phosphorus'); script_set_attribute(attribute:"vuln_publication_date", value:"2010/01/28"); script_set_attribute(attribute:"patch_publication_date", value:"2011/01/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/01/28"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe",value:"cpe:/a:symantec:antivirus"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "smb_enum_services.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); if (report_paranoia < 2) { status = get_kb_item_or_exit("SMB/svc/Intel Alert Originator"); if (status != SERVICE_ACTIVE) exit(0, "The Alert Originator service is installed but not active."); } if (!is_accessible_share()) exit(1, "is_accessible_share() failed."); if ( hotfix_is_vulnerable(file:"iao.exe", version:"6.12.0.156", dir:"\system32\ams_ii") ) { hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); exit(0, "The host is not affected."); }

Saint

bid 45936
description Symantec Alert Management System AMSSendAlertAck Buffer Overflow
id misc_av_symantec_antiviruspinbo
osvdb 72623
title symantec_ams_amssendalertack
type remote
bid 45936
description Symantec Alert Management System Intel Alert Handler modem string buffer overflow
id misc_av_symantec_antiviruspinbo
title symantec_ams_modem
type remote
bid 45936
description Symantec Alert Management System PIN number buffer overflow
id misc_av_symantec_antiviruspinbo
title symantec_ams_pin
type remote

bid	45936
description	Symantec Alert Management System AMSSendAlertAck Buffer Overflow
id	misc_av_symantec_antiviruspinbo
osvdb	72623
title	symantec_ams_amssendalertack
type	remote

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Saint

References