APP: Symantec Alert Management System HNDLRSVC Remote Command Execution
This signature detects attempts to exploit a known vulnerability in the Symantec Alert Management System (AMS2) service shipped with multiple Symantec products.. The AMS service starts an alert handler service, HNDLRSVC, that listens for commands from the AMS server, but does not perform proper authentication checks before executing such commands. Remote unauthenticated attackers can exploit this by sending a crafted packet to the target service and execute arbitrary programs with the SYSTEM privileges.
Extended Description
Symantec Antivirus Corporate Edition is prone to a remote privilege-escalation vulnerability. This issue affects the Alert Management Service. Attackers can exploit this issue to gain SYSTEM-level privileges on an affected computer. Symantec Antivirus Corporate Edition 10.1.8.8000 is vulnerable; other versions may also be affected.
Affected Products
Symantec antivirus_corporate_edition
Short Name
APP:SYMC:AMS-HNDLRSVC-RCE
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
APP
Keywords
Alert Command Execution HNDLRSVC Management Remote Symantec System bid:41959
Release Date
09/29/2010
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
Port
tcp/38292
False Positive
Unknown
Vendors
Symantec