Symantec AMS2 Remote Command Execution

August 5, 2010

Symantec Alert Management System 2 (AMS2) is a component of the Symantec System Center console, Symantec AntiVirus Server, and of the Symantec AntiVirus Central Quarantine Server. AMS2 listens for specific security related events on a computer network, and sends notifications as specified by the administrator. The AMS2 starts multiple services on the system, including Message System Service (MSGSYS.EXE) and AMS2 Handler Manager Service (HNDLRSVC.EXE). The MSGSYS.EXE service on clients listens on TCP port 38292; it gets messages from the AMS server for different alert actions and forwards them to the HNDLRSVC.EXE service to perform the required action.

A design weakness exists in Symantec AMS2. Specifically, the vulnerable service does not perform any authentication mechanism to verify the sender of the alert actions. An unauthenticated remote attacker can exploit this vulnerability by sending a crafted packet to the MSGSYS.EXE service. Successful exploitation of this vulnerability would allow the attacker to execute arbitrary command with SYSTEM privileges.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 4815 Symantec AMS Intel Alert Handler Command Execution