Symantec Vulnerability

13 May 2009

Based from Securiteam and CVE Information about Remote exploitation of a design error vulnerability in Symantec Corp.’s Symantec System Center may allow an attacker to execute arbitrary code with SYSTEM privileges.

XFR.EXE in the Intel File Transfer service in the console in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central Quarantine Server; Symantec AntiVirus (SAV) Corporate Edition 9 before 9.0 MR7, 10.0 and 10.1 before 10.1 MR8, and 10.2 before 10.2 MR2; Symantec Client Security (SCS) 2 before 2.0 MR7 and 3 before 3.1 MR8; and Symantec Endpoint Protection (SEP) before 11.0 MR3, allows remote attackers to execute arbitrary code by placing the code on a (1) share or (2) WebDAV server, and then sending the UNC share pathname to this service.

The vulnerability exists within the ‘Intel File Transfer’ service, which runs the xfr.exe application. When sent a properly formatted request, this service will extract a string from the request, and use it as the path of a program to execute as a new Process. The process will be started with SYSTEM privileges.

Exploitation of this vulnerability allows an attacker to execute arbitrary code with SYSTEM privileges. In order to exploit this vulnerability, an attacker must be able to establish a TCP session on port 12174 with the vulnerable host.

The vulnerable service is actually part of LANDesk Management Suite. It is not clear whether the behavior described is part of the intended functionality of the program. However, the manner in which the service is being used by the Symantec System Center is unsafe.

In a default client type installation, the Symantec System Center is not installed. The System Center would normally be found on the network administrator’s system. In addition, the Alert Management System Console is not a default option in the installation of the System Center.

Vulnerable Systems: