Symantec AMS2 Package Buffer Overflow
Symantec Products Alert management System 2 (AMS2) is a package included by various Symantec Solutions such as System Centre, AntiVirus Server, and AntiVirus Central Quarantine Server. AMS2 contains a component named Intel Alert Originator (IAO) Service, which is run under System account by default.
IAO Service is using a proprietary protocol to exchange messages with other modules. One of the messages is called BIND message. It has the following format:
Offset Size Description ----------- ---------- ----------------------------------------- 0000 8 filled with "0xFF" 0008 6 unknown, seems always contain 0x00 0x00 0x02 0x00 0x95 0x94 000E 4 IPv4 address of client 0012 8 filled with "0x00" 001A 4 message size covering header (N) 001E 19 unknown 0031 1 Bind Type (Save=0x02 Remove=0x03) 0032 8 unknown 003A 4 Bind Identifier ("BIND") 003E 17 unknown 004F 5 Bind Identifier2 ("BINDx00") 0054 N Bind Parameters (N-84)
There is a stack-based buffer overflow vulnerability in IAO Service of AMS2. The vulnerability is due to a boundary error in the IAO service when processing crafted "Bind Remove" messages. Specifically, the vulnerable code copies message parameters into a stack-based buffer without verifying the size of the "Bind Remove" message. Thus, an overly long string can overwrite critical stack data including function return addresses and SEH handler structure. By exploiting this vulnerability, an attacker can successfully inject and execute arbitrary code within the security context of the service, which is System by default.
SonicWALL has released an IPS signature that will detect and block a generic attack attempt addressing this issue. The following IPS signature has been released today:
- 1440 Symantec Alert Management System BO Attempt
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-1430.