Symantec VRTSweb Code Execution

January 8, 2010

Symantec VERITAS Web Server (VRTSweb) is a shared component shipped with multiple Symantec products. VRTSweb provides the container that executes the Symantec web application. VRTSweb is developed using Java and a WAR file is used to distribute a Web application.

VRTSweb listens on TCP port 14300 to process administrative requests. Requests to this port are encoded as XML documents with "Command" as the root node. All requests are of the form:

The task is specified within the "command" attribute of the root node and the attributes depend on the command. Command authentication is performed using the "authFile" attribute. A client authenticates a request by specifying a file that resides in the VRTSweb runtime directory. A client who has knowledge of the VRTSweb runtime directory is able to authenticate himself. One of the supported commands, startWebApp, requires the following attributes: "command", "authFile", "appName", and "installDir". A startWebApp request looks like:

which requests VRTSweb to unpack and start the web application located at "c:test.war".

A design weakness exists in Symantec VERITAS Web Server. The vulnerability is due to insufficient authentication when processing administration requests sent to TCP port 14300. Since the VRTSweb runtime directory contains a number of known files, when a startWebApp command is sent to the target system, authentication can easily be bypassed. The ".heartbeat" file is particularly useful for attacks as it is recreated periodically. A remote attacker can craft a startWebApp request that bypasses authentication to unpack and start a web application on a target system. The web application will run with the privileges of VRTSweb.

The vulnerability has been assigned as CVE-2009-3027.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 4699 Symantec VRTSweb Code Execution Attempt